CVE-2011-20002 in SIMATIC S7-1200 CPU V1 family
Summary
by MITRE • 10/14/2025
A vulnerability has been identified in SIMATIC S7-1200 CPU V1 family (incl. SIPLUS variants) (All versions < V2.0.2), SIMATIC S7-1200 CPU V2 family (incl. SIPLUS variants) (All versions < V2.0.2). Affected controllers are vulnerable to capture-replay in the communication with the engineering software. This could allow an on-path attacker between the engineering software and the controller to execute any previously recorded commands at a later time (e.g. set the controller to STOP), regardless whether or not the controller had a password configured.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/14/2025
This vulnerability affects Siemens SIMATIC S7-1200 programmable logic controllers across multiple CPU families including SIPLUS variants, specifically versions prior to V2.0.2. The flaw resides in the communication protocol between engineering software and the controller, creating a critical security weakness that enables authenticated attackers to perform capture-replay attacks. The vulnerability operates at the network communication layer where session tokens or command sequences are not properly authenticated or time-bound, allowing malicious actors to intercept legitimate communication and replay captured commands at will. This represents a fundamental failure in the authentication and integrity mechanisms of the industrial control system protocol stack.
The technical implementation of this vulnerability stems from insufficient cryptographic protection of communication channels between engineering tools and PLC controllers. When engineers establish connections with S7-1200 controllers for programming, configuration, or monitoring, the communication lacks proper sequence validation and timestamping mechanisms. An on-path attacker positioned between the engineering software and the controller can capture network traffic containing legitimate commands such as STOP, START, or configuration modifications. These captured command sequences can then be replayed at a later time to execute unauthorized operations on the controller. The vulnerability is particularly concerning because it operates regardless of password protection status, meaning even controllers with authentication configured remain susceptible to this attack vector.
The operational impact of this vulnerability extends beyond simple unauthorized command execution to potentially compromise entire industrial control processes. Attackers could manipulate controller states to halt production lines, modify process parameters, or disable safety mechanisms without requiring elevated privileges or authentication credentials. The timing aspect of the replay attack allows for strategic execution of commands during critical operational phases, potentially causing significant financial losses, safety hazards, or production disruptions. This vulnerability directly impacts the availability and integrity aspects of the industrial control system security model, as it enables persistent unauthorized access to critical control functions. Organizations relying on these controllers for process automation face substantial risk of operational compromise, particularly in environments where physical security measures may be insufficient.
Mitigation strategies for this vulnerability require immediate firmware updates to versions V2.0.2 or later, which address the communication protocol flaws through enhanced cryptographic mechanisms and proper sequence validation. Network segmentation and access controls should be implemented to limit direct communication paths between engineering software and controllers, reducing the attack surface for on-path adversaries. Additional protective measures include implementing network monitoring to detect anomalous command sequences, establishing secure communication channels using encrypted protocols, and conducting regular security assessments of industrial control systems. Organizations should also consider implementing privileged access management systems and audit logging to track all controller interactions. This vulnerability aligns with CWE-319 (Cryptographic Issues) and represents a specific implementation weakness in industrial communication protocols that requires comprehensive security remediation across the operational technology infrastructure. The ATT&CK framework categorizes this under T1071.004 (Application Layer Protocol: SSH) and T1566 (Phishing) as it exploits communication channel weaknesses and can be leveraged for persistent unauthorized access to critical infrastructure.