Full Report
SIMATIC ET 200SP communication processors (CP 1542SP-1, CP 1542SP-1 IRC and CP 1543SP-1, incl. SIPLUS variants) contain an authentication vulnerability that could allow an unauthenticated remote attacker to access the configuration data. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Authentication Bypass in SIMATIC ET 200SP Communication Processors
## CVE Details
- **CVE ID:** CVE-2025-40771
- **CVSS Score:** 9.8 (Critical) [v3.1] / 9.3 (Critical) [v4.0]
- **CWE:** CWE-306: Missing Authentication for Critical Function
## Affected Systems
- **Products:**
- SIMATIC CP 1542SP-1
- SIMATIC CP 1542SP-1 IRC (including SIPLUS variants)
- SIMATIC CP 1543SP-1 (including SIPLUS variants)
- SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL
- SIPLUS ET 200SP CP 1543SP-1 ISEC / ISEC TX RAIL
- **Versions:** All versions prior to V2.4.24
- **Configurations:** Devices configured to allow remote configuration connections.
## Vulnerability Description
The affected SIMATIC ET 200SP communication processors fail to properly authenticate configuration connections. This flaw stems from a lack of identity verification for critical functions, which allows a remote attacker to bypass authentication mechanisms. If exploited, the attacker can gain unauthorized access to the device's configuration data.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; no public PoC specified in the advisory.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Attacker can read sensitive configuration data)
- **Integrity:** High (Attacker can potentially modify configuration settings)
- **Availability:** High (Unauthorized configuration changes may lead to denial of service or operational disruption)
## Remediation
### Patches
Siemens recommends updating all affected products to **V2.4.24** or later. Firmware downloads can be found via the Siemens industry support portal:
- hxxps://support.industry.siemens[.]com/cs/ww/en/view/109995159/
### Workarounds
- **IP Filtering:** Restrict access to the affected systems to trusted IP addresses only.
- **Network Segmentation:** Ensure devices are operated within protected IT/OT environments according to Siemens’ operational guidelines.
## Detection
- **Indicators of Compromise:** Monitor for unexpected configuration access or modifications originating from unauthorized or unknown IP addresses.
- **Detection Methods:** Utilize Network Intrusion Detection Systems (NIDS) to identify unusual traffic on ports typically used for SIMATIC configuration. Audit device logs for unauthorized connection attempts.
## References
- **Vendor Advisory:** SSA-486936
- hxxps://cert-portal.siemens[.]com/productcert/html/ssa-486936.html
- hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security
- hxxps://www.siemens[.]com/industrialsecurity