Classified under CWE-522: Insufficiently Protected Credentials, the weakness found in Siemens SIMATIC S7-1200 and S7-1500 CPU families This security vulnerability is the insufficient protection of a built-in global private key utilized inside these CPUs. The problem originates from the private key’s extractionability via offline analysis of a single device in the vulnerable CPU family, which is intended to encrypt communication and safeguard project configuration data.
Because the key is shared across all devices within a CPU family, once an attacker obtains the private key from one CPU, they may be able to compromise any other device from the same family. Systems using these CPUs are therefore much less secure overall. Attackers with access to the private key can obtain sensitive configuration data from engineering projects protected by that key. Moreover, they might use this flaw to launch sophisticated cyberattacks on Human Machine Interfaces (HMIs) and older engineering workstations (PG/PCs), hence compromising control system confidentiality and integrity.
Officially recorded under the identifier CVE-2022-38465, the vulnerability has been given a CVSS v3 base score of 9.3, suggesting critical risk level. The related CVSS vector is AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, which suggests that the attack needs local access but no particular rights or user involvement, and it has strong effects on confidentiality, integrity, and availability.
Siemens has admitted the vulnerability and advises using firmware updates and security best practices to reduce the related risks. Especially in settings handling important control system data, it is also recommended to restrict physical and network access to these devices and to switch to secure communication protocols and methods.