CVE-2022-45147
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code on affected Siemens industrial control systems by exploiting insecure .NET BinaryFormatter deserialization. It affects SIMATIC PCS neo V4.0 and SIMATIC STEP 7 V16-V18 software. Attackers can achieve remote code execution by sending specially crafted data to vulnerable applications.
💻 Affected Systems
- SIMATIC PCS neo
- SIMATIC STEP 7
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary code with application privileges, potentially leading to industrial process disruption, data theft, or lateral movement within OT networks.
Likely Case
Remote code execution on engineering workstations or controllers, enabling attackers to manipulate industrial processes, steal intellectual property, or establish persistence in OT environments.
If Mitigated
Limited impact if systems are isolated from untrusted networks and proper input validation is implemented, though the vulnerability remains present.
🎯 Exploit Status
Based on known .NET BinaryFormatter vulnerabilities, exploitation is straightforward once payload is crafted. No authentication required for exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SIMATIC STEP 7 V18 Update 2 or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-825651.html
Restart Required: Yes
Instructions:
1. Download and install SIMATIC STEP 7 V18 Update 2 or later from Siemens support portal. 2. For SIMATIC PCS neo V4.0, apply security updates as per Siemens advisory. 3. Restart affected systems after patching.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected systems from untrusted networks and restrict access to engineering workstations.
Input Validation
allImplement strict input validation for all deserialization operations in custom applications.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks
- Monitor for suspicious deserialization attempts and implement application whitelisting
🔍 How to Verify
Check if Vulnerable:
Check installed version of SIMATIC STEP 7 or PCS neo. If using affected versions listed above, system is vulnerable.Check Version:
In SIMATIC STEP 7: Help → About. In Windows: Check installed programs list for Siemens software versions.Verify Fix Applied:
Verify SIMATIC STEP 7 version is V18 Update 2 or later. For PCS neo, check for applied security updates per Siemens advisory.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from SIMATIC applications
- Deserialization errors in application logs
- Network connections to engineering workstations from unexpected sources
Network Indicators:
- Unusual traffic to SIMATIC services (default ports 102, 135, 445)
- Binary data patterns indicative of serialized .NET objects
SIEM Query:
source="*simatic*" AND (event_id="4688" OR process_name="powershell.exe" OR process_name="cmd.exe")