Publication Date:
Last Update:
Current Version: V2.3
CVSS v3.1 Base Score: 5.9
Affected Product and Versions Remediation

All versions >= V5.2.0 < V5.3 only when running on ROX II V2.14.0

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions < V1.1

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V6.2 < V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V4.1
Currently no fix is planned

All versions >= V4.1
Currently no fix is planned

All versions >= V6.2 <V7.1
Update to V7.1 or later version
use TLS v1.3 only

All versions >= V4.1
Currently no fix is planned

All versions >= V4.1
Currently no fix is planned

All versions >= V2.0 < V2.1.4

All versions >= V2.0 < V2.1.4

All versions >= V2.0 < V2.1.4

All versions >= V2.0 < V2.1.4

All versions >= V2.0 < V2.1.4

All versions >= V2.0 < V3.0

All versions >= V2.0 < V3.0

All versions >= V2.0 < V3.0

All versions >= V2.0 < V3.0

All versions >= V2.0 < V3.0

All versions >= V2.0 < V3.0

All versions >= V6.5
Currently no fix is planned

All versions < V4.3

All versions < V4.3

All versions < V4.3

All versions < V6.4

All versions < V4.3

All versions < V4.3

All versions < V6.4

All versions >= V1.1 < V1.6

All versions >= V1.1 < V1.6

All versions >= V3.1 < V3.3.46

All versions >= V3.1 < V3.3.46

All versions >= V3.1 < V3.3.46

All versions >= V3.1 < V3.3.46

All versions >= V3.1 < V3.3.46

All versions >= V2.1 < V2.2.28

All versions >= V2.2 < V3.0

All versions >= V2.1 < V2.2.28

All versions >= V1.0 < V1.1

All versions < V17.0 Upd 2
Update to V17.0 Upd 2 or later version

All versions < V17.0 Upd 2
Update to V17.0 Upd 2 or later version

All versions < V17.0 Upd 2
Update to V17.0 Upd 2 or later version

All versions >= V1.6 Upd2 < V1.6 Upd5
Update to V1.6 Upd5 or later version
Restrict access to Remote Access service, if used, to mitigate this issue. This service is disabled by default.

All versions < V3.1

All versions < V3.1

All versions < V3.1

All versions < V3.1

All versions < V3.1

All versions < V3.1

All versions < V9.1

All versions < V3.1

All versions >= V9.1 SP7 < V9.2 SP1
Update to V9.2 SP 1 or later version
Restrict access to the command interface, if used, to mitigate this issue. This interface is disabled by default.

All versions >= 2019 < 2020 Upd1
Update SIMATIC PCS neo to V3.1 or later version

All versions < V2.0

All versions < V2.0

All versions < V2.0

All versions < V2.0

All versions < V2.0

All versions < V2.0

All versions < V2.0

All versions < V4.0

All versions < V4.0

All versions < V4.0

All versions < V4.0

All versions < V4.0

All versions < V4.5.2

All versions < V2.9.3

All versions < V17 Update 1
Update to V17 Update 1 or later version

All versions < V7.5

All versions
Currently no fix is planned

All versions >= V1.0.1 < V1.0.2

All versions V14 < V14 SP3

All versions < V3.1 SP1

All versions >= V2.1 < V2.2.28

All versions >= V2.1 < V2.2.28

All versions >= V2.1 < V2.2.28

All versions >= V3.1 < V3.3.46

All versions >= V2.2 < V3.0

All versions >= V3.1 < V3.3.46

All versions >= V3.1 < V3.3.46

All versions >= V2.0 < V2.2

All versions < V1.0 SP4

All versions >= V2.0 < V2.2

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

Un-/Collapse All

The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.

CVSS v3.1 Base Score 5.9
CVSS v3.1 Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
CWE CWE-476: NULL Pointer Dereference

https://www.siemens.com/cert/advisories

V1.0 (2021-07-13): Publication Date
V1.1 (2021-08-10): Removed RUGGEDCOM CloudConnect APE/VPE as it is not affected, added solution for SIMATIC NET CP 1543-1
V1.2 (2021-09-14): Added solution for SIMATIC S7-1500 CPU 1518-4 PN/DP MFP, SIMATIC PCS neo, SIMATIC Process Historian OPC UA Server, SINEMA Server, and TIA Administrator, removed SIMATIC HMI Basic Panels 2nd Generation as the product is not affected
V1.3 (2021-11-09): Added solution for SCALANCE SC-600, SIMATIC WinCC Runtime Advanced, SIMATIC CP 1242-7 GPRS V2, SIMATIC CP 1243-7 LTE and SIMATIC Cloud Connect 7; split SCALANCE SC-600 into individual products; removed SINEC PNI as it is not affected
V1.4 (2021-12-14): Added solution for SIMATIC MV500 family and SINUMERIK OPC UA Server
V1.5 (2022-01-11): Added solution for SIMATIC HMI Panels, SIMATIC Logon and SIMATIC PDM, clarified that no remediation is planned for SCALANCE W-700 IEEE 802.11n family
V1.6 (2022-02-08): Added solution for SCALANCE LPE9403; clarified that no remediation is planned for SCALANCE W-1700 IEEE 802.11ac family; added RUGGEDCOM CROSSBOW Station Access Controller as affected product ; fixed affected versions for SINEC NMS
V1.7 (2022-02-17): Added solution for SIMATIC S7-1200 CPU family
V1.8 (2022-04-12): No fix planned for SINAMICS Connect 300; Added solution for SCALANCE M-800 / S615 family, RUGGEDCOM RM1224, and SCALANCE W-1700 IEEE 802.11ac family; Added SIMATIC RF600R family
V1.9 (2022-05-10): Added solution for SIMATIC READER RF1xxC family and SIMATIC Reader RF360R and SIMATIC PCS 7 TeleControl
V2.0 (2022-06-14): Added fix for SIMATIC CP 1545-1
V2.1 (2022-08-09): Added or corrected fix information for SIMATIC CP 1242-7 V2, CP 1243-7, CP 1243-1, CP 1243-8
V2.2 (2023-03-14): Updated fix information for RUGGEDCOM CROSSBOW SAC, added fix for SIMATIC CP 1542SP-1 IRC, and SIMATIC CP 1543SP-1
V2.3 (2024-01-09): Added fix for SIMATIC WinCC TeleControl