CVE-2024-47100: Siemens SIMATIC S7-1200 CSRF Vulnerability

CVE-2024-47100 Overview

CVE-2024-47100 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting the web interface of Siemens SIMATIC S7-1200 and SIPLUS S7-1200 CPU families. The flaw allows an unauthenticated attacker to change the CPU operating mode by tricking an authenticated user with sufficient privileges into clicking a malicious link. Because S7-1200 controllers operate in industrial environments, an unexpected mode change can interrupt processes managed by the PLC.

Critical Impact

A successful attack lets a remote, unauthenticated adversary alter the CPU mode of a SIMATIC S7-1200 controller, potentially halting industrial processes or disrupting automation logic.

Affected Products

• SIMATIC S7-1200 CPU family (1211C, 1212C, 1212FC, 1214C, 1214FC, 1215C, 1215FC, 1217C) — all article numbers 6ES721x-xxx40-0XB0
• SIPLUS S7-1200 CPU 1212, 1214, 1215 variants — article numbers 6AG121x-xxx40-xXB0 and 6AG221x-xxx40-1XB0
• All firmware versions of the listed CPUs prior to the Siemens-released fix referenced in advisory SSA-717113

Discovery Timeline

• 2025-01-14 - CVE-2024-47100 published to the National Vulnerability Database
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-47100

Vulnerability Analysis

The S7-1200 and SIPLUS S7-1200 CPUs expose an integrated web server that provides diagnostic and operational endpoints, including the ability to change the CPU operating mode between RUN and STOP. State-changing requests to this web interface do not enforce anti-CSRF protections such as origin validation or unpredictable per-request tokens.

When a privileged user is authenticated to the web server, the browser automatically attaches session credentials to any request issued against the device. An attacker can host a crafted page that submits a forged state-changing request to the PLC. The PLC processes the request as if it originated from the legitimate user.

The vulnerability impacts the integrity and availability of the controlled process. Confidentiality is not affected, but mode transitions on a PLC managing physical equipment can stop production lines, halt safety routines, or trigger fail-safe behaviors.

Root Cause

The root cause is missing CSRF protection [CWE-352] on the web interface endpoints that perform privileged operations. The server relies on session-based authentication without verifying request intent through tokens, custom headers, or SameSite cookie attributes.

Attack Vector

Exploitation requires an authenticated administrator or operator to interact with attacker-controlled content while a session to the PLC web interface is active. The attacker delivers a phishing email, embedded iframe, or compromised internal page that issues a request to the PLC. The PLC accepts the action and changes operating state. No attacker credentials or direct network access to the PLC are required if the victim's browser can reach it.

The vulnerability is described in prose because no public proof-of-concept code has been published. Refer to the Siemens Security Advisory SSA-717113 for vendor technical details.

Detection Methods for CVE-2024-47100

Indicators of Compromise

• Unexpected CPU mode transitions (RUN to STOP or STOP to RUN) recorded in PLC diagnostic buffers without a corresponding operator action ticket.
• Web server access logs on the PLC showing state-changing requests originating from atypical Referer headers or external origins.
• Browser history on engineering workstations containing recent visits to unfamiliar external sites immediately before a PLC mode change.

Detection Strategies

• Correlate PLC diagnostic buffer entries with authentication events and source IP addresses from the integrated web server.
• Inspect HTTP traffic to the PLC on the operational technology network for requests carrying cross-origin Referer or Origin headers.
• Alert on CPU mode change commands occurring outside of approved maintenance windows.

Monitoring Recommendations

• Forward PLC diagnostic logs and network traffic captures to a centralized SIEM for retention and correlation.
• Monitor engineering workstations for browser activity that overlaps with active sessions to PLC web interfaces.
• Establish baselines for normal operator interaction with the S7-1200 web server and alert on deviations.

How to Mitigate CVE-2024-47100

Immediate Actions Required

• Apply the firmware update referenced in Siemens advisory SSA-717113 to all affected SIMATIC and SIPLUS S7-1200 CPU article numbers.
• Disable the integrated web server on PLCs that do not require it for operations.
• Restrict access to the PLC web interface to a dedicated engineering VLAN and block routing from corporate or internet-facing networks.

Patch Information

Siemens has published guidance and fixed firmware versions in Siemens Security Advisory SSA-717113. Apply the recommended firmware version for each affected article number and verify the update through the TIA Portal device diagnostics.

Workarounds

• Instruct privileged users to log out of the PLC web interface immediately after maintenance tasks and avoid browsing other sites during active sessions.
• Enforce network segmentation per Siemens operational guidelines so PLC web interfaces are reachable only from hardened engineering hosts.
• Use browser isolation or dedicated engineering workstations that cannot reach external websites while sessions to PLCs are open.
• Configure the PLC key-operated mode switch in the RUN position with the key removed where the deployment allows, preventing remote mode changes.