PatchSiren cyber security CVE debrief
CVE-2024-47100 Siemens CVE debrief
A Cross-Site Request Forgery (CSRF) vulnerability in the web interface of Siemens SIMATIC S7-1200 CPUs allows unauthenticated attackers to change CPU mode by tricking authenticated users into clicking malicious links. The vulnerability was published on January 14, 2025, and affects 48 product variants across standard SIMATIC and SIPLUS product lines. Siemens has released firmware version 4.7 or later to address this issue.
- Vendor
- Siemens
- Product
- SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0)
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-01-14
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-01-14
- Advisory updated
- 2025-05-06
Who should care
Organizations operating Siemens SIMATIC S7-1200 programmable logic controllers in manufacturing, process control, or critical infrastructure environments. Security teams responsible for OT/ICS asset management, network engineers designing industrial network segmentation, and automation engineers with administrative access to PLC web interfaces.
Technical summary
The web interface of Siemens SIMATIC S7-1200 CPUs lacks sufficient CSRF protections, allowing attackers to forge state-changing requests. An unauthenticated attacker can craft a malicious link that, when clicked by an authenticated administrator, changes the CPU operational mode. This represents a HIGH severity vulnerability (CVSS 7.1) due to the potential for availability impact on industrial processes. The attack requires network access to the web interface and user interaction, but no authentication credentials. Affected devices span 48 product variants including standard SIMATIC S7-1200 CPUs (1211C through 1217C) and SIPLUS extended temperature/rail variants. Siemens has addressed this in firmware version 4.7 and later.
Defensive priority
HIGH
Recommended defensive actions
- Update affected Siemens SIMATIC S7-1200 CPUs to firmware version 4.7 or later
- Implement network segmentation to restrict web interface access to authorized engineering workstations
- Configure browser security policies to block or warn on cross-origin requests to industrial device web interfaces
- Educate users with administrative access to avoid clicking links from untrusted sources while authenticated to device web interfaces
- Monitor for unauthorized CPU mode changes in operational technology environments
- Apply defense-in-depth strategies per CISA ICS recommended practices for industrial control systems
Evidence notes
CVE published 2025-01-14; modified 2025-05-06. Advisory ICSA-25-021-02 issued by CISA. 48 affected products confirmed in CSAF product tree. Vendor fix available: firmware V4.7 or later.
Official resources
-
CVE-2024-47100 CVE record
CVE.org
-
CVE-2024-47100 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-01-14