CVE-2025-24811 – This vulnerability affects multiple Siemens SIM... (How to Fix)

Q: What is the severity of CVE-2025-24811?

CVE-2025-24811 has a CVSS score of 7.5 (HIGH). This vulnerability affects multiple Siemens SIMATIC S7-1200 and SIPLUS S7-1200 CPU models, allowing an unauthenticated attacker to send specially crafted packets to port 80/tcp, causing a denial of service (DoS) that disrupts device functionality. It impacts industrial control systems using these specific programmable logic controllers (PLCs).

📋 TL;DR

This vulnerability affects multiple Siemens SIMATIC S7-1200 and SIPLUS S7-1200 CPU models, allowing an unauthenticated attacker to send specially crafted packets to port 80/tcp, causing a denial of service (DoS) that disrupts device functionality. It impacts industrial control systems using these specific programmable logic controllers (PLCs).

💻 Affected Systems

Products:

SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0)
SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0)
SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0)
SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0)
SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0)
SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0)
SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0)
SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0)
SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0)
SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0)
SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0)
SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0)
SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0)
SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0)
SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0)
SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0)
SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0)
SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0)
SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0)
SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0)
SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0)
SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0)
SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0)
SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0)
SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0)
SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0)
SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0)
SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0)
SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0)
SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0)
SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0)
SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0)
SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0)
SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0)
SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0)
SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0)
SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0)
SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0)
SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0)
SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0)
SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0)
SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0)
SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0)
SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0)
SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0)
SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0)
SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0)
SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0)

Versions: All versions prior to the patch; specific version details should be checked in the vendor advisory.

Operating Systems: Not applicable; these are embedded PLC devices with proprietary firmware.

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is present in default configurations where port 80/tcp is accessible, typically used for web services on these PLCs.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could remotely crash the PLC, halting industrial processes and causing operational downtime, safety risks, or production losses.

🟠

Likely Case

Most probable impact is temporary DoS, disrupting PLC communication and control functions until manual restart or recovery.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to isolated network segments, reducing widespread disruption.

🌐 Internet-Facing: HIGH, as the vulnerability is unauthenticated and exploitable via network packets, making internet-exposed devices highly susceptible to attacks.

🏢 Internal Only: MEDIUM, as internal attackers or malware could exploit it, but network segmentation and monitoring can mitigate risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted packets to port 80/tcp, which is straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Siemens advisory for specific firmware updates; typically version 4.6 or later, but check the vendor link for exact details.

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-224824.html

Restart Required: Yes

Instructions:

1. Access the Siemens support portal. 2. Download the latest firmware update for your specific CPU model. 3. Use TIA Portal software to upload and apply the firmware update to the PLC. 4. Restart the PLC to activate the patch.

🔧 Temporary Workarounds

Block Port 80/tcp Access

all

Restrict network access to port 80/tcp on affected PLCs using firewalls or access control lists (ACLs) to prevent exploitation.

firewall rule to deny inbound traffic to TCP port 80 on PLC IP addresses

Network Segmentation

all

Isolate PLCs in a dedicated industrial network segment with strict inbound/outbound controls to limit exposure.

🧯 If You Can't Patch

Implement strict network segmentation to isolate PLCs from untrusted networks.
Deploy intrusion detection systems (IDS) to monitor for anomalous traffic on port 80/tcp and alert on potential exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check if your PLC model and firmware version match the affected list in the Siemens advisory; use TIA Portal to read device information.

Check Version:

In TIA Portal, go to 'Online & Diagnostics' > 'General' to view the firmware version of the connected PLC.

Verify Fix Applied:

After applying the firmware update, verify the new version in TIA Portal and test by attempting to send crafted packets to port 80/tcp (in a controlled environment) to ensure no DoS occurs.

📡 Detection & Monitoring

Log Indicators:

Unusual traffic spikes or connection attempts to port 80/tcp on PLCs
PLC log entries indicating service disruptions or crashes

Network Indicators:

Anomalous packets to port 80/tcp with malformed headers or payloads
Increased traffic from untrusted sources targeting PLC IPs

SIEM Query:

source_ip IN (untrusted_networks) AND dest_port=80 AND protocol=TCP AND packet_size > threshold

📊 Metadata

CVE ID: CVE-2025-24811

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-404

EPSS Score: 0.12% exploit probability (30.7th percentile)

Published: February 11, 2025

Last Updated: February 11, 2025

🔗 References

https://cert-portal.siemens.com/productcert/html/ssa-224824.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24811, you might also want to check these: