Full Report
SIMATIC S7-1500 devices contain a vulnerability that could allow an attacker to inject code by tricking a legitimate user into importing a specially crafted trace file in the web interface. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Eval Injection in SIMATIC S7-1500 Web Interface
## CVE Details
- **CVE ID:** CVE-2025-40943
- **CVSS Score:** 9.6 (Critical) [v3.1] / 9.4 (Critical) [v4.0]
- **CWE:** CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
## Affected Systems
- **Products:**
- SIMATIC S7-1500 CPU family (Standard, Compact, Advanced, and Software Controllers)
- SIMATIC Drive Controller family (CPU 1504D TF, CPU 1507D TF)
- SIMATIC ET 200SP Open Controller (PC2/PC3 V2 & V3 CPUs - Windows and Industrial OS)
- SIMATIC S7-PLCSIM Advanced (Simulation environment)
- **Versions:** All versions prior to the released fixes (see Remediation).
- **Configurations:** Systems where the Web Server is enabled and users have "Read diagnostics" permissions.
## Vulnerability Description
Affected SIMATIC S7-1500 devices fail to properly sanitize the contents of trace files imported via the web interface. This "Eval Injection" flaw allows an attacker to embed malicious code within a specially crafted trace file. When an authorized user—possessing the "Read diagnostics" right—imports this file, the malicious code executes within the context of the user's browser session. This can be used to trigger PLC operations that the legitimate user is authorized to perform, effectively bypassing security controls.
## Exploitation
- **Status:** PoC availability and "in the wild" status not explicitly mentioned in the advisory; however, the vulnerability is documented as requiring social engineering.
- **Complexity:** Low
- **Attack Vector:** Network (requires user interaction/social engineering)
## Impact
- **Confidentiality:** High (Session hijacking and data theft from the browser context)
- **Integrate:** High (Unauthorized PLC operations and command execution)
- **Availability:** High (Potential to disrupt industrial processes via unauthorized commands)
## Remediation
### Patches
Siemens is releasing fixes in stages. Users should monitor the official advisory for specific version updates.
*Note: The provided text indicates Siemens has released new versions for several products but lists many (like Drive Controllers and ET 200SP PC2/PC3) as "Currently no fix is available" at the time of the update (2026-03-19).*
### Workarounds
- **Restrict Web Access:** Limit access to the PLC web server to trusted users and networks only.
- **Permission Management:** Review and minimize users assigned the "Read diagnostics" function right.
- **Input Validation:** Only import trace files from known, trusted sources.
- **Disable Web Server:** If the web interface is not required for operations, disable it to close the attack vector.
## Detection
- **Indicators of Compromise:** Unusual PLC configuration changes or operational commands triggered from a user's IP address.
- **Detection methods and tools:** Audit web server access logs for trace file import actions. Use Network Intrusion Detection Systems (IDS) to monitor for suspicious payloads in HTTP POST requests related to trace file uploads.
## References
- Siemens Security Advisory SSA-452276: hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-452276.html
- Siemens ProductCERT: hxxps://www[.]siemens[.]com/cert/advisories