Security Experts:

Connect with us

Hi, what are you looking for?



New Vulnerabilities Can Allow Hackers to Remotely Crash Siemens PLCs

Siemens this week announced the availability of patches and mitigations for a series of severe vulnerabilities that can be exploited to remotely crash some of the company’s SIMATIC products.

Siemens this week announced the availability of patches and mitigations for a series of severe vulnerabilities that can be exploited to remotely crash some of the company’s SIMATIC products.

The German industrial giant released nine advisories on Tuesday to address a total of 27 vulnerabilities. One of these advisories describes three high-severity flaws that can be exploited by a remote, unauthenticated attacker to launch denial-of-service (DoS) attacks against some Siemens programmable logic controllers (PLCs) and associated products.

Siemens PLC vulnerabilitiesThe security holes are tracked as CVE-2021-37185, CVE-2021-37204 and CVE-2021-37205, and they can be exploited by sending specially crafted packets over TCP port 102 to the targeted device. If a vulnerability has been exploited successfully, the device needs to be restarted in order to restore normal operations.

In a real world industrial environment, crashing a PLC can have a serious impact and cause significant disruption.

Siemens says the flaws impact SIMATIC S7-1200 and S7-1500 PLCs, SIMATIC Drive Controller, ET 200SP Open Controller, S7-1500 Software Controller, SIMATIC S7-PLCSIM Advanced, the TIM 1531 IRC communication module, as well as SIPLUS extreme products.

Independent ICS security researcher Gao Jian, who has been credited by Siemens for reporting the vulnerabilities, told SecurityWeek that these are just some of the eight vulnerabilities that he has reported to the vendor. The remaining issues are under investigation. The researcher started reporting his findings to Siemens in early August 2021.

Jian explained in an advisory that the vulnerabilities, which he has dubbed S7+:Crash, are related to the OMS+ communication protocol stack used by Siemens products.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference

Siemens PLCs can be protected against unauthorized operations by enabling an access level option and setting a password. However, the researcher says the attack methods he has identified work even if the “complete protection” option is selected.

Moreover, Jian says, the flaws can be exploited even if a recently introduced feature designed to secure communications between PLCs and PCs or HMIs is enabled.

The “S7+:Crash” vulnerabilities can be exploited by a threat actor who has access to the targeted device on TCP port 102. Exploitation directly from the internet may also be possible if the PLC is exposed due to a misconfiguration.

“Note that even the SIMATIC products enabled with access protection and secure communication (TLS encryption) cannot mitigate these vulnerabilities, and there is no firewall capable of parsing the S7CommPlus_TLS protocol, making it very difficult to prevent such attacks,” Jian explained.

The researcher has published a video showing his exploit in action.

Related: Newly Disclosed Vulnerability Allows Remote Hacking of Siemens PLCs

Related: Siemens Releases Several Advisories for ‘NAME:WRECK’ Vulnerabilities

Related: Siemens Addresses Code Execution Vulnerabilities Found in Popular CAD Library

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...