Publication Date:
Last Update:
Current Version: V1.8
CVSS v3.1 Base Score: 7.5
CVSS v4.0 Base Score: 8.7
Un-/Collapse All
Affected Product and Versions Remediation

All versions
affected by CVE-2020-28400
Currently no fix is planned

All versions
affected by CVE-2020-28400
Currently no fix is planned

All versions < V4.7
affected by CVE-2020-28400
Expand children
Expand children
Currently no fix is planned
Expand children
Expand children
Expand children
Expand children
Expand children
Expand children
Open for details

All versions < V2.0.0
affected by CVE-2020-28400

All versions < V2.0.0
affected by CVE-2020-28400

All versions < V3.0
affected by CVE-2020-28400

All Versions >= V2.7
affected by CVE-2020-28400
Currently no fix is planned

All Versions >= V2.7
affected by CVE-2020-28400
Currently no fix is planned

All versions
affected by CVE-2020-28400
Currently no fix is planned

All versions < V3.0
affected by CVE-2020-28400

All versions < V3.0
affected by CVE-2020-28400

All versions < V3.0
affected by CVE-2020-28400

All versions < V3.0
affected by CVE-2020-28400

All versions < V3.0
affected by CVE-2020-28400

All versions < V3.0
affected by CVE-2020-28400

All Versions >= V2.7
affected by CVE-2020-28400
Currently no fix is planned

All versions
affected by CVE-2020-28400
Currently no fix is planned

All versions < V2.3
affected by CVE-2020-28400

All Versions < V4.5
affected by CVE-2020-28400

All versions < V1.1.3
affected by CVE-2020-28400

All versions < V2.1.3
affected by CVE-2020-28400

All versions
affected by CVE-2020-28400
Currently no fix is planned
  • Block incoming Profinet Discovery and Configuration Protocol (DCP) packets (Ethertype 0x8892, Frame-ID: 0xfefe) from untrusted networks
  • Disable Profinet in products, where Profinet is optional and not used in your environment

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

CVSS v3.1 Base Score 7.5
CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v4.0 Base Score 8.7
CVSS v4.0 Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE CWE-770: Allocation of Resources Without Limits or Throttling

https://www.siemens.com/cert/advisories
V1.0 (2021-07-13): Publication Date
V1.1 (2021-08-10): Added solution for SCALANCE XR-300WG, SCALANCE XB-200, SCALANCE XP-200, SCALANCE XC-200, SCALANCE XF-200 and EK-ERTEC 200P
V1.2 (2021-09-14): Added solution for SCALANCE X-200 switch family and SIMATIC NET CM 1542-1
V1.3 (2021-10-12): Added solution for SIMATIC PROFINET Driver
V1.4 (2022-02-08): Clarified that no remediation is planned for SCALANCE W700 and SCALANCE W1700, SIMATIC CP 1604, SIMATIC CP 1616, and SIMATIC CP 1626
V1.5 (2022-04-12): Added solution for SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) and SCALANCE W-1700 (11ac) family
V1.6 (2024-06-11): Added fix for SIMATIC CFU PA/DIQ; fix planned for SIMATIC IE/PB-LINK
V1.7 (2024-11-12): Added fix for SCALANCE XR-300WG family (was no longer listed since V1.5 of the SSA); consolidated and expanded list of affected SCALANCE product families, incl. MLFB information
V1.8 (2024-12-10): Clarified that no fix is planned for SIMATIC IE/PB-LINK; Added CVSSv4.0 vector