Home / Threat Intelligence bulletins / Siemens discloses two critical security flaws

Target Industry

Indiscriminate, opportunistic targeting.


Two critical-level security vulnerabilities have been discovered in the latest batch of Siemens security patches. The flaws, tracked as SSA-831302 and SSA-794697, have both been designated a CVSSv3 score of 9.8 and pertain to the BIOS of the SIMATIC S7-1500 TM MFP and the Linux Kernel of the SIMATIC S7-1500 TM MFP, respectively.


Successful exploitation of the vulnerabilities outlined in the advisories mentioned above could lead to a total loss of confidentiality, availability, and integrity of data with regards to the affected product versions.

Vulnerability Detection

No security updates have been released for these vulnerabilities. However, mitigation strategies have been put forward.

Affected Products

  • SSA-831302: SIMATIC S7-1500 TM MFP – BIOS (all versions)
  • SSA-794697: SIMATIC S7-1500 TM MFP – Linux Kernel (all versions)

Containment, Mitigations & Remediations

No security updates have been released for either SSA-831302 or SSA-794697. However, Siemens strongly recommends that users of both only build and run applications from trusted sources to reduce the risk of exploitation.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Siemens occupies a significant portion of the build-automation market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Siemens products have become a prime target. Due to the fact that these products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within these systems in an attempt to extract the sensitive information contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Further Information

Siemens Security Advisory


An Intelligence Terminology Yardstick to showing the likelihood of events