PatchSiren cyber security CVE debrief
CVE-2023-30756 Siemens CVE debrief
A NULL dereference vulnerability in the web server of multiple Siemens SIMATIC and related industrial control products allows unauthenticated remote attackers to cause denial of service by sending crafted HTTP requests with the Expect header. The vulnerability stems from improper error handling when processing certain Expect header values, leading to a NULL pointer dereference that crashes the web server component. This affects 12 product variants including communication processors, HMI panels, and diagnostic software. Siemens has released firmware updates for most affected products, though four products have no planned fix and rely on workaround mitigations.
- Vendor
- Siemens
- Product
- SIMATIC CP 1242-7 V2 (incl. SIPLUS variants)
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-10
- Original CVE updated
- 2025-05-06
- Advisory published
- 2024-09-10
- Advisory updated
- 2025-05-06
Who should care
Organizations operating Siemens SIMATIC industrial automation infrastructure, including manufacturing facilities, critical infrastructure operators, and OT security teams managing communication processors, HMI panels, and diagnostic systems.
Technical summary
The vulnerability exists in the HTTP request handling logic of affected Siemens devices. When processing HTTP requests containing an Expect header, the web server fails to properly handle certain error conditions, resulting in a NULL pointer dereference. This memory access violation causes the web server process to crash, resulting in denial of service. The attack vector is network-based, requires no authentication, and no user interaction. The vulnerability is exploitable remotely with low attack complexity once network access is established. Successful exploitation disrupts web-based management and monitoring capabilities but does not provide confidentiality or integrity impacts.
Defensive priority
medium
Recommended defensive actions
- Apply vendor firmware updates where available: update SIMATIC CP 1242-7 V2, CP 1243-1, CP 1243-1 DNP3, CP 1243-1 IEC, CP 1243-7 LTE, and CP 1243-8 IRC to V3.5.20 or later; update SIPLUS TIM 1531 IRC and TIM 1531 IRC to V
- 2.4.8 or later
- Disable the web server on affected devices if firmware updates cannot be applied or for products with no fix planned (SIMATIC HMI Comfort Panels, SIMATIC IPC DiagBase, SIMATIC IPC DiagMonitor, SIMATIC WinCC Runtime
- Advanced)
- Implement network segmentation to restrict HTTP/HTTPS access to affected device web servers from untrusted networks
- Monitor for unexpected web server crashes or service restarts that may indicate exploitation attempts
- Review ICS-CERT recommended practices for defense-in-depth strategies for industrial control systems
Evidence notes
Vulnerability description and affected products derived from CISA CSAF advisory ICSA-24-256-09. CVSS 5.9 (MEDIUM) per source. Remediation guidance including specific firmware versions and workaround options extracted from CSAF remediations array. No KEV listing confirmed.
Official resources
-
CVE-2023-30756 CVE record
CVE.org
-
CVE-2023-30756 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-09-10