Publication Date:
Last Update:
Current Version: V1.2
CVSS v3.1 Base Score: 7.5
Affected Product and Versions Remediation

All versions < V2.9.2
only affected by CVE-2021-37204

All versions >= V2.9.2 < V2.9.4

All versions < V21.9
only affected by CVE-2021-37204

All versions >= V21.9 < V21.9.4

All versions
only affected by CVE-2021-37204

All versions
only affected by CVE-2021-37204

All versions < V4.5.0
only affected by CVE-2021-37204

All versions >= V4.5.0 < V4.5.2

All versions < V2.9.2
only affected by CVE-2021-37204

All versions >= V2.9.2 < V2.9.4

All versions < V21.9
only affected by CVE-2021-37204

All versions >= V21.9 < V21.9.4

All versions < V4.0
only affected by CVE-2021-37204

All versions >= V4.0 < V4.0 SP1

All versions >= V2.2

The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.

CVSS v3.1 Base Score 7.5
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
CWE CWE-672: Operation on a Resource after Expiration or Release
CVSS v3.1 Base Score 7.5
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
CWE CWE-672: Operation on a Resource after Expiration or Release
CVSS v3.1 Base Score 7.5
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
CWE CWE-401: Missing Release of Memory after Effective Lifetime

  • Gao Jian for coordinated disclosure

https://www.siemens.com/cert/advisories

V1.0 (2022-02-08): Publication Date
V1.1 (2022-03-08): Added solution for SIMATIC S7-PLCSIM Advanced
V1.2 (2022-07-12): Added fix for SIMATIC ET 200SP Open Controller CPU 1515SP PC2 and SIMATIC S7-1500 Software Controller, clarify that CVE-2021-37204 is also affecting devices without TLS and added SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) and SIMATIC ET 200SP Open Controller CPU 1515SP PC2 'Ready4Linux' as affected by CVE-2021-37204