PatchSiren cyber security CVE debrief

CVE-2024-46886 Siemens CVE debrief

CVE-2024-46886 is a medium-severity (CVSS 4.7) open redirect vulnerability in the web server of Siemens SIMATIC industrial controllers. The web server fails to properly validate input used for user redirection, allowing an attacker to craft malicious links that redirect legitimate users to attacker-chosen URLs. Successful exploitation requires user interaction—the victim must actively click on an attacker-crafted link. The vulnerability affects 80 distinct Siemens SIMATIC product variants across multiple CPU families including S7-1200, S7-1500, ET 200SP, and Drive Controller lines. CISA published this advisory on October 8, 2024, with the most recent update on October 14, 2025, reflecting an extended remediation timeline with multiple firmware fixes released across 2024-2025.

Vendor: Siemens
Product: SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0)
CVSS: MEDIUM 4.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-10-08
Original CVE updated: 2025-10-14
Advisory published: 2024-10-08
Advisory updated: 2025-10-14

Who should care

OT security teams, industrial automation engineers, plant network administrators, and organizations running Siemens SIMATIC S7-1200, S7-1500, ET 200SP, or Drive Controller systems with web server functionality enabled. Organizations in critical infrastructure sectors (energy, water, manufacturing, transportation) with exposed or internally accessible PLC web interfaces.

Technical summary

The vulnerability exists in the web server component of affected Siemens SIMATIC devices. Insufficient input validation on redirection parameters allows URL manipulation. The attack requires: (1) network access to the device's web interface, (2) crafting a malicious URL with attacker-controlled redirect destination, and (3) social engineering to induce a legitimate user to click the link. The CVSS attack complexity is Low with User Interaction Required. Scope is Changed due to the redirect crossing security boundaries. Confidentiality impact is None, Integrity impact is Low, Availability impact is None. The vulnerability does not allow direct code execution on the device but enables phishing attacks and credential harvesting at attacker-controlled destinations.

Defensive priority

medium

Recommended defensive actions

Apply vendor firmware updates according to the specific product and version matrix: S7-1500 V2.x products to V2.9.8 or later; S7-1500 V3.x products to V3.1.4 or later; S7-1200 V4.x products to V4.7.0 or later; ET 200SP V
Open Controller CPU 1515SP PC2 V2 to V21.9.8 or later; ET 200SP Open Controller CPU 1515SP PC2 V3 to V31.1.4 or later; SIMATIC S7-PLCSIM Advanced to V7.0 or later
Implement network segmentation to restrict web server access to authorized engineering workstations and HMI systems
Configure firewalls to block outbound connections from PLC web servers to untrusted external networks
Educate operators and engineers to avoid clicking links from untrusted sources in emails, chat messages, or web pages
Monitor for anomalous HTTP redirect responses from affected device web interfaces
For SIMATIC S7-1500 Software Controller Linux V3, note that no fix is currently available per vendor advisory; apply compensating controls and monitor vendor communications for updates

Evidence notes

The vulnerability description and affected product list are derived from CISA CSAF advisory ICSA-24-284-01. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N confirms network attack vector with required user interaction. The revision history shows ten updates from initial publication through October 2025, indicating ongoing vendor remediation efforts.

Official resources

2024-10-08