PatchSiren cyber security CVE debrief

CVE-2024-46887 Siemens CVE debrief

CVE-2024-46887 is a medium-severity information disclosure vulnerability affecting 80 Siemens SIMATIC S7-1500 series CPU products, including Drive Controllers, ET 200SP variants, and ET 200pro units. Published on October 8, 2024, and last modified on October 14, 2025, this vulnerability stems from improper authentication on the '/ClientArea/RuntimeInfoData.mwsl' web server endpoint. An unauthenticated remote attacker can exploit this flaw to obtain operational intelligence including current actual cycle times, configured maximum cycle times, and configured maximum communication load. While this vulnerability does not enable direct system compromise, the exposed timing and load information could facilitate reconnaissance for more targeted attacks against industrial control systems. The CVSS 3.1 score of 5.3 reflects network accessibility with low attack complexity and no required privileges, though impact is limited to confidentiality with no integrity or availability effects. Siemens has released firmware updates across multiple version lines to address this issue, with fixes available for V2, V3, V21, and V31 firmware branches depending on specific product models.

Vendor: Siemens
Product: SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0)
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-10-08
Original CVE updated: 2025-10-14
Advisory published: 2024-10-08
Advisory updated: 2025-10-14

Who should care

Industrial control system operators, OT security engineers, manufacturing security teams, critical infrastructure asset owners, Siemens automation system administrators, and organizations with SIMATIC S7-1500 deployments in production environments

Technical summary

The web server component on affected Siemens SIMATIC CPUs fails to enforce authentication for requests to the /ClientArea/RuntimeInfoData.mwsl endpoint. This MWSL (Motion Web Server Language) endpoint exposes runtime diagnostic data including actual cycle execution times, maximum configured cycle time thresholds, and maximum communication load settings. The vulnerability is exploitable remotely without authentication credentials, requiring only network connectivity to the device's web interface. The information disclosed is read-only and does not permit configuration changes or code execution, but provides attackers with precise timing characteristics of the PLC's operational cycle and network utilization parameters. This data could inform timing-based side-channel attacks or aid in crafting exploits targeting real-time constraints in industrial processes.

Defensive priority

medium

Recommended defensive actions

Inventory all Siemens SIMATIC S7-1500, ET 200SP, ET 200pro, and Drive Controller CPU deployments to identify affected models and current firmware versions
Apply vendor-supplied firmware updates: V2.9.8 or later for V2-based CPUs, V3.1.4 or later for V3-based CPUs, V21.9.8 or later for V21-based CPUs, V31.1.4 or later for V31-based CPUs, and V7.0 or later for SIMATIC S7-PLS
Restrict network access to affected device web server interfaces using firewall rules or network segmentation to limit exposure of the /ClientArea/RuntimeInfoData.mwsl endpoint
Monitor for unauthorized access attempts to RuntimeInfoData.mwsl endpoint in web server logs
Implement defense-in-depth strategies per CISA ICS recommended practices for industrial control system security
Review and validate that web server functionality is disabled on devices where not operationally required

Evidence notes

Vulnerability description and affected product list derived from CISA CSAF advisory ICSA-24-284-10. CVSS vector and scoring confirmed from source. Remediation guidance extracted from vendor_fix entries with specific firmware version requirements. Timeline dates use CVE published and modified timestamps as specified.

Official resources

2024-10-08