Publication Date:
Last Update:
Current Version: V2.4
CVSS v3.1 Base Score: 7.5
Un-/Collapse All
Affected Product and Versions Remediation

All versions
affected by CVE-2019-13946
Currently no fix is planned

All Versions < V4.5
affected by CVE-2019-13946

All Versions < V4.6
affected by CVE-2019-13946

All Versions < V2.1
affected by CVE-2019-13946
Expand children
Update to V6.1.2 or later version
Create a firewall rule that blocks the PROFINET Context Manager port (34964/udp)

All versions <= V6.0.1
affected by CVE-2019-13946

All Versions < V5.3
affected by CVE-2019-13946

All Versions < V5.3
affected by CVE-2019-13946

All Versions < V5.3
affected by CVE-2019-13946

All Versions < V5.3
affected by CVE-2019-13946

All Versions < V5.3
affected by CVE-2019-13946

All Versions < V5.3
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All Versions < V5.3
affected by CVE-2019-13946

All Versions < V5.3
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946
Expand children
Expand children

All Versions < V3.0
affected by CVE-2019-13946

All Versions < V5.3
affected by CVE-2019-13946

All Versions < V5.3
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All Versions < V5.3
affected by CVE-2019-13946

All Versions < V5.3
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All versions < V5.2.5
affected by CVE-2019-13946

All Versions < V3.0
affected by CVE-2019-13946
Expand children
Update to V6.2.3

All Versions < V3.0
affected by CVE-2019-13946

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions < V3.3
affected by CVE-2019-13946

All versions < V3.3
affected by CVE-2019-13946

All versions < V3.3
affected by CVE-2019-13946

All versions
affected by CVE-2019-13946
Currently no fix is planned

All Versions < V2.8
affected by CVE-2019-13946

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned
Expand children
Expand children

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned
Expand children
Expand children

All versions
affected by CVE-2019-13946
Currently no fix is planned
Expand children

All Versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned
Migrate to a successor product within the SIMATIC RF18xC/CI family, V1.3 (https://support.industry.siemens.com/cs/ww/en/view/109781665) or later version; for details refer to the phase-out announcement (https://support.industry.siemens.com/cs/ww/en/view/109783832)

All versions
affected by CVE-2019-13946
Currently no fix is planned
Migrate to a successor product within the SIMATIC RF18xC/CI family, V1.3 (https://support.industry.siemens.com/cs/ww/en/view/109781665) or later version; for details refer to the phase-out announcement (https://support.industry.siemens.com/cs/ww/en/view/109783832)

All versions < V3
affected by CVE-2019-13946

All versions < V4.5
affected by CVE-2019-13946

All versions < V4.5
affected by CVE-2019-13946

All versions < V4.5
affected by CVE-2019-13946
Update to V4.5 or later version

All Versions < V1.3
affected by CVE-2019-13946

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions
affected by CVE-2019-13946
Currently no fix is planned

All versions < V3.3
affected by CVE-2019-13946

All versions < V3.3
affected by CVE-2019-13946

All versions
affected by CVE-2019-13946
Currently no fix is planned
  • Disable PROFINET in products, where PROFINET is optional and not used in your environment
  • Block incoming DCE-RPC packets (port 34964/udp) from untrusted networks

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

CVSS v3.1 Base Score 7.5
CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
CWE CWE-400: Uncontrolled Resource Consumption

  • Cybersecurity and Infrastructure Security Agency (CISA) for coordination efforts
  • Yuval Ardon and Matan Dobrushin from OTORIO for coordinated disclosure

https://www.siemens.com/cert/advisories
V1.0 (2020-02-11): Publication Date
V1.1 (2020-03-10): Added affected product SOFTNET-IE PNIO
V1.2 (2020-03-12): Additional information in section "Workarounds and Mitigations"
V1.3 (2020-08-11): No changes - this version was never released
V1.4 (2020-08-11): Added SIMATIC ET200ecoPN product variants (MLFB IDs) that are not affected
V1.5 (2020-09-08): Informed about successor products for SIMATIC RF180C and RF182C
V1.6 (2020-12-08): Added SIMOTION products; Updated information regarding successor products for SIMATIC RF180C and RF182C
V1.7 (2021-03-09): Added ecoPN model (6ES7148-6JG00-0BB0) as not affected. Added update information for MV400
V1.8 (2021-09-14): Added solution for SCALANCE X-200 switch family, explicitly list SCALANCE XB-200, XC-200, XP-200, XF-200BA and XR-300WG, as well as SCALANCE M-800 / S615 as separate products
V1.9 (2021-10-12): Clarified affected ET200ecoPN models
V2.0 (2022-02-08): No remediation planned for SIMATIC CP 343-1 (incl. Advanced, ERPC, Lean and related SIPLUS variants), SIMATIC CP 443-1 OPC UA, SIMATIC ET200 devices, and SOFTNET-IE PNIO
V2.1 (2022-04-12): Added solution for SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)
V2.2 (2022-06-14): No fix planned for SIMATIC CP 443-1 Advanced and SIPLUS NET CP 443-1 Advanced
V2.3 (2023-04-11): Added fix for SIMATIC CP 443-1 family
V2.4 (2024-07-09): Listed affected products individually instead of product families (e.g., for SIMATIC MV400, SIMATIC ET 200AL/MP/SP/pro IM families); added affected SIPLUS devices (e.g., SIPLUS ET 200xx IM); corrected fix version for SIMATIC ET 200SP IM 155-6 PN HF