CVE-2024-47100 – This CVE describes a Cross-Site Request Forgery... (How to Fix)

Q: What is the severity of CVE-2024-47100?

CVE-2024-47100 has a CVSS score of 7.1 (HIGH). This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in the web interface of Siemens SIMATIC S7-1200 and SIPLUS S7-1200 PLC CPUs. An unauthenticated attacker could trick an authenticated user into clicking a malicious link, potentially changing the CPU mode. This affects industrial control systems using these specific Siemens PLC models.

📋 TL;DR

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in the web interface of Siemens SIMATIC S7-1200 and SIPLUS S7-1200 PLC CPUs. An unauthenticated attacker could trick an authenticated user into clicking a malicious link, potentially changing the CPU mode. This affects industrial control systems using these specific Siemens PLC models.

💻 Affected Systems

Products:

SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0)
SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0)
SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0)
SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0)
SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0)
SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0)
SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0)
SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0)
SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0)
SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0)
SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0)
SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0)
SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0)
SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0)
SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0)
SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0)
SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0)
SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0)
SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0)
SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0)
SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0)
SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0)
SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0)
SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0)
SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0)
SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0)
SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0)
SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0)
SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0)
SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0)
SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0)
SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0)
SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0)
SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0)
SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0)
SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0)
SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0)
SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0)
SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0)
SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0)
SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0)
SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0)
SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0)
SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0)
SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0)
SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0)
SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0)
SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0)

Versions: All versions with web interface enabled

Operating Systems: Not applicable - embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the web interface component. Devices without web interface enabled or accessible are not vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could change CPU modes (e.g., from RUN to STOP), causing production downtime, process disruption, or safety issues in industrial environments.

🟠

Likely Case

Temporary disruption of PLC operations requiring manual intervention to restore normal operation, potentially impacting production processes.

🟢

If Mitigated

With proper network segmentation and user awareness, the risk is limited to isolated incidents with minimal operational impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to trick authenticated users. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to firmware version V4.7.0 or later

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-717113.html

Restart Required: No

Instructions:

1. Download firmware update from Siemens Industry Online Support. 2. Use TIA Portal to upload firmware to affected PLCs. 3. Verify firmware version after update.

🔧 Temporary Workarounds

Disable web interface

all

Disable the web server functionality on affected PLCs if not required for operations.

Configure via TIA Portal: Device configuration > Web server > Disable

Network segmentation

all

Isolate PLCs in dedicated network segments with strict access controls.

🧯 If You Can't Patch

Implement strict network segmentation to isolate PLCs from untrusted networks
Train users to avoid clicking unknown links while authenticated to PLC web interfaces
Implement web application firewalls with CSRF protection rules
Monitor for unauthorized CPU mode changes

🔍 How to Verify

Check if Vulnerable:

Check if device model is in affected list and web interface is enabled. Use TIA Portal to check firmware version.

Check Version:

In TIA Portal: Online & diagnostics > Functions > Firmware update > Read firmware version

Verify Fix Applied:

Verify firmware version is V4.7.0 or later using TIA Portal or web interface.

📡 Detection & Monitoring

Log Indicators:

Unexpected CPU mode changes in PLC logs
Web interface access from unusual IP addresses
Multiple failed authentication attempts followed by successful login

Network Indicators:

HTTP POST requests to PLC web interface from unexpected sources
Traffic patterns suggesting CSRF attack vectors

SIEM Query:

source="plc_logs" AND (event="cpu_mode_change" OR event="web_interface_access")

📊 Metadata

CVE ID: CVE-2024-47100

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CWE: CWE-352

EPSS Score: 0.05% exploit probability (16.9th percentile)

Published: January 14, 2025

Last Updated: January 14, 2025

🔗 References

https://cert-portal.siemens.com/productcert/html/ssa-717113.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47100, you might also want to check these: