CVE-2016-9159 in SIMATIC S7-300 PN
Summary
by MITRE
A vulnerability has been identified in SIMATIC S7-300 CPU family (All versions), SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions), SIMATIC S7-400 PN/DP V6 and below CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-400 PN/DP V7 CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-400 V6 and earlier CPU family (All versions), SIMATIC S7-400 V7 CPU family (All versions), SIMATIC S7-410 V8 CPU family (All versions), SIMATIC S7-410 V8 CPU family (incl. SIPLUS variants) (All versions). An attacker with network access to port 102/tcp (ISO-TSAP) or via Profibus could obtain credentials from the PLC if protection-level 2 is configured on the affected devices.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
The vulnerability identified as CVE-2016-9159 represents a critical security flaw affecting Siemens SIMATIC S7-300 PN and S7-400 PN programmable logic controllers across all supported versions. This weakness specifically targets the communication protocols and authentication mechanisms implemented within these industrial control systems, creating a significant risk for operational technology environments. The vulnerability resides in the way these PLCs handle credential storage and transmission when protection level 2 is configured, making it exploitable by remote attackers without physical access to the devices.
The technical implementation of this vulnerability stems from insufficient cryptographic protection and weak credential handling within the Siemens SIMATIC PN CPUs. When protection level 2 is enabled, the system fails to adequately secure authentication tokens and credentials stored in memory, allowing an attacker who can establish network connectivity to the device to potentially extract sensitive information. This flaw operates at the application layer of the industrial control system stack, specifically affecting the communication protocols used for remote access and configuration management. The vulnerability is categorized under CWE-310, which addresses cryptographic issues and weak cryptography, and aligns with ATT&CK technique T1552 for credentials harvesting through exploitation of system vulnerabilities.
The operational impact of CVE-2016-9159 extends beyond simple credential theft, as it creates a potential pathway for attackers to gain unauthorized access to industrial control systems. Once credentials are obtained, an attacker can leverage them to perform malicious activities including system modification, data manipulation, or disruption of industrial processes. This vulnerability particularly affects critical infrastructure sectors that rely on Siemens PLCs for process control, including manufacturing facilities, power generation plants, and water treatment systems. The remote nature of the attack means that threat actors can exploit this weakness from outside the facility perimeter, making traditional network security measures insufficient for protection.
Organizations utilizing affected Siemens SIMATIC S7-300 PN and S7-400 PN devices should implement immediate mitigations including firmware updates from Siemens, network segmentation to isolate industrial control systems, and implementation of network access controls. The vulnerability requires specific attention to protection level configurations and should be addressed through proper security assessments of industrial network environments. According to industrial security best practices and NIST guidelines for industrial control systems, this vulnerability demonstrates the importance of maintaining current firmware versions and implementing defense-in-depth strategies. The attack surface for this vulnerability is particularly concerning in environments where industrial networks are not properly isolated from corporate networks, as it could enable lateral movement attacks that compromise entire operational technology infrastructures.