CVE-2025-24812
📋 TL;DR
A denial-of-service vulnerability exists in multiple SIMATIC S7-1200 PLC models where specially crafted packets sent to TCP port 102 can crash the device. This affects industrial control systems using Siemens SIMATIC S7-1200 CPUs with firmware versions below V4.7. An attacker could disrupt critical industrial operations by sending malicious packets to vulnerable devices.
💻 Affected Systems
- SIMATIC S7-1200 CPU 1211C AC/DC/Rly
- SIMATIC S7-1200 CPU 1211C DC/DC/DC
- SIMATIC S7-1200 CPU 1211C DC/DC/Rly
- SIMATIC S7-1200 CPU 1212C AC/DC/Rly
- SIMATIC S7-1200 CPU 1212C DC/DC/DC
- SIMATIC S7-1200 CPU 1212C DC/DC/Rly
- SIMATIC S7-1200 CPU 1212FC DC/DC/DC
- SIMATIC S7-1200 CPU 1212FC DC/DC/Rly
- SIMATIC S7-1200 CPU 1214C AC/DC/Rly
- SIMATIC S7-1200 CPU 1214C DC/DC/DC
- SIMATIC S7-1200 CPU 1214C DC/DC/Rly
- SIMATIC S7-1200 CPU 1214FC DC/DC/DC
- SIMATIC S7-1200 CPU 1214FC DC/DC/Rly
- SIMATIC S7-1200 CPU 1215C AC/DC/Rly
- SIMATIC S7-1200 CPU 1215C DC/DC/DC
- SIMATIC S7-1200 CPU 1215C DC/DC/Rly
- SIMATIC S7-1200 CPU 1215FC DC/DC/DC
- SIMATIC S7-1200 CPU 1215FC DC/DC/Rly
- SIMATIC S7-1200 CPU 1217C DC/DC/DC
- SIPLUS S7-1200 CPU 1212 AC/DC/RLY
- SIPLUS S7-1200 CPU 1212 DC/DC/RLY
- SIPLUS S7-1200 CPU 1212C DC/DC/DC
- SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL
- SIPLUS S7-1200 CPU 1214 AC/DC/RLY
- SIPLUS S7-1200 CPU 1214 DC/DC/DC
- SIPLUS S7-1200 CPU 1214 DC/DC/RLY
- SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL
- SIPLUS S7-1200 CPU 1214FC DC/DC/DC
- SIPLUS S7-1200 CPU 1214FC DC/DC/RLY
- SIPLUS S7-1200 CPU 1215 AC/DC/RLY
- SIPLUS S7-1200 CPU 1215 DC/DC/DC
- SIPLUS S7-1200 CPU 1215 DC/DC/RLY
- SIPLUS S7-1200 CPU 1215C DC/DC/DC
- SIPLUS S7-1200 CPU 1215FC DC/DC/DC
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device crash requiring physical restart, causing production downtime, safety system failures, or process disruptions in critical infrastructure.
Likely Case
Temporary denial of service requiring manual intervention to restart affected PLCs, disrupting automated processes.
If Mitigated
Minimal impact with proper network segmentation and access controls preventing unauthorized access to port 102.
🎯 Exploit Status
Exploitation requires sending crafted packets to port 102/tcp, which is typically open for Siemens S7 communication. No authentication is required if network access is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V4.7 or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-224824.html
Restart Required: Yes
Instructions:
1. Download firmware V4.7 or later from Siemens Industry Online Support. 2. Use TIA Portal software to upload new firmware to affected PLCs. 3. Restart PLCs after firmware update. 4. Verify firmware version is V4.7 or higher.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to port 102/tcp using firewalls to only trusted engineering stations and SCADA systems.
Access Control Lists
allImplement network ACLs to block unauthorized IP addresses from accessing PLCs on port 102.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PLCs from untrusted networks
- Deploy intrusion detection systems to monitor for anomalous traffic on port 102
🔍 How to Verify
Check if Vulnerable:
Check firmware version in TIA Portal or via web interface. If version is below V4.7 and port 102/tcp is accessible, device is vulnerable.Check Version:
Use TIA Portal: Online & Diagnostics > General > Firmware versionVerify Fix Applied:
Confirm firmware version is V4.7 or higher in device properties. Test connectivity to port 102/tcp to ensure legitimate communication still works.📡 Detection & Monitoring
Log Indicators:
- PLC restart events
- Connection attempts to port 102 from unauthorized sources
- Abnormal packet patterns on port 102
Network Indicators:
- Unusual traffic volume to port 102/tcp
- Crafted packets targeting port 102
- Connection attempts from unexpected IP ranges
SIEM Query:
source_port:102 AND (packet_size:anomalous OR protocol_violation:true)