March, 10, 2020

CISA has updated the advisory with additional details on the affected products and the nature of the vulnerability. Read the advisory at CISA.

January 25, 2018

ICS-CERT has updated this advisory with additional details on mitigation measures. ICS-CERT.

November 28, 2017

ICS-CERT has updated this advisory with additional details on mitigation measures. ICS-CERT.

July 25, 2017

ICS-CERT has updated its advisory titled “Siemens S7-300/400 PLC Vulnerabilities.” Additional mitigations have been added. ICS-CERT.

May 9, 2017

ICS-CERT has updated its advisory titled “Siemens S7-300/400 PLC Vulnerabilities.” An attacker with network access to Port 102/TCP (ISO-TSAP) or via Profibus could obtain credentials from the PLC if Protection-level 2 is configured on the affected devices. This vulnerability affects all listed affected products. Siemens provides firmware version V3.X.14 for S7-300 CPUs that resolves CVE-2016-9158. ICS-CERT.

December 13, 2016

ICS-CERT has released an announcement on password leak and denial-of-service vulnerabilities in Siemens’ S7-300 and S7-400 programmable logic controllers. Siemens has released Security Advisory SSA-731239 with advice to mitigate these vulnerabilities. These vulnerabilities could be exploited remotely. Successful exploitation of these vulnerabilities could lead to a denial-of-service condition or result in credential disclosure. The products are deployed across several sectors including Energy and Water and Wastewater Systems. ICS-CERT.