Cyber Resilience

CVE-2021-37205

High

Published: 09 February 2022

Published
09 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0139 80.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-37205 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Siemens Simatic S7-Plcsim Advanced Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 19.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability has been identified in SIMATIC Drive Controller family (All versions >= V2.9.2 < V2.9.4), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions >= V21.9 < V21.9.4), SIMATIC S7-1200 CPU family (incl. SIPLUS variants)…

more

(All versions >= V4.5.0 < V4.5.2), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions >= V2.9.2 < V2.9.4), SIMATIC S7-1500 Software Controller (All versions >= V21.9 < V21.9.4), SIMATIC S7-PLCSIM Advanced (All versions >= V4.0 < V4.0 SP1), SIPLUS TIM 1531 IRC (All versions < V2.3.6), TIM 1531 IRC (All versions < V2.3.6). An unauthenticated attacker could cause a denial-of-service condition in a PLC when sending specially prepared packets over port 102/tcp. A restart of the affected device is needed to restore normal operations.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

siemens
simatic drive controller cpu 1504d tf firmware
≤ 2.9.4
siemens
simatic drive controller cpu 1507d tf firmware
≤ 2.9.4
siemens
simatic et 200sp open controller cpu 1515sp pc2 firmware
all versions
siemens
simatic s7-plcsim advanced firmware
4.0 · ≤ 4.0
siemens
tim 1531 irc firmware
≥ 2.2
siemens
simatic s7-1500 software controller
all versions
siemens
simatic s7-1200 cpu 1211c firmware
4.5.0 — 4.5.2
siemens
simatic s7-1200 cpu 1212c firmware
4.5.0 — 4.5.2
siemens
simatic s7-1200 cpu 1212fc firmware
4.5.0 — 4.5.2
siemens
simatic s7-1200 cpu 1214fc firmware
4.5.0 — 4.5.2
+38 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References