RCE in Siemens Simatic_s7_cpu_1200_firmware

CVE-2014-2909

CRLF injection vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary HTTP headers via unspecified vectors.

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.008 (75.1th percentile) — read the EPSS interpretation.

Affected products

Siemens Simatic_s7_cpu_1200_firmware — versions 2.0, 3.0, 3.0.2
Siemens Simatic_s7_cpu-1211c
Siemens Simatic_s7_cpu_1212c
Siemens Simatic_s7_cpu_1214c
Siemens Simatic_s7_cpu_1215c
Siemens Simatic_s7_cpu_1217c
N/a — versions n/a

Weakness classification (CWE)

CWE-94 — Code Injection

References

cve@mitre.org (US Government Resource, x_refsource_MISC)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
cve@mitre.org (x_refsource_CONFIRM)