CVE-2019-10929 [Medium] | Security Bypass in Simatic Et 200sp Open Con…

A vulnerability has been identified in SIMATIC CP 1626 (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions < V20.8), SIMATIC HMI Panel (incl. SIPLUS variants) (All versions), SIMATIC NET PC Software V14 (All versions < V14 SP1 Update 14), SIMATIC NET PC Software V15 (All versions), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions < V4.4.0), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions < V2.8.1), SIMATIC S7-1500 Software Controller (All versions < V20.8), SIMATIC S7-PLCSIM Advanced (All versions < V3.0), SIMATIC STEP 7 (TIA Portal) (All versions < V16), SIMATIC WinCC (TIA Portal) (All versions < V16), SIMATIC WinCC OA (All versions < V3.16 P013), SIMATIC WinCC Runtime Advanced (All versions < V16), SIMATIC WinCC Runtime Professional (All versions < V16), TIM 1531 IRC (incl. SIPLUS NET variants) (All versions < V2.1). Affected devices contain a message protection bypass vulnerability due to certain properties in the calculation used for integrity protection. This could allow an attacker in a Man-in-the-Middle position to modify network traffic sent on port 102/tcp to the affected devices.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.14%	0.98%	+0.84%
2	2025-11-21	0.19%	0.14%	-0.05%
3	2025-11-18	—	0.19%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.14%

0.98%

+0.84%

2025-11-21

0.19%

0.14%

-0.05%

2025-11-18

—

0.19%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.9	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:N) Service keeps running; no real outage angle.	2.2	3.6	[email protected]
4.3	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:N/I:P/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	8.6	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.9

3.1

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N): Service keeps running; no real outage angle.

2.2

3.6

[email protected]

4.3

2.0

MEDIUM

AV:N/AC:M/Au:N/C:N/I:P/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

8.6

2.9

[email protected]

Affected software / configurations for CVE-2019-10929

Vendor	Product	Version	Raw CPE
siemens	simatic_et_200sp_open_controller_cpu_1515sp_pc_firmware	—	cpe:2.3:o:siemens:simatic_et_200sp_open_controller_cpu_1515sp_pc_firmware::::::::
siemens	simatic_et_200sp_open_controller_cpu_1515sp_pc2_firmware	—	cpe:2.3:o:siemens:simatic_et_200sp_open_controller_cpu_1515sp_pc2_firmware::::::::
siemens	simatic_s7-1200_cpu_1211c_firmware	<= 4.0	cpe:2.3:o:siemens:simatic_s7-1200_cpu_1211c_firmware::::::::
siemens	simatic_s7-1200_cpu_1212c_firmware	<= 4.0	cpe:2.3:o:siemens:simatic_s7-1200_cpu_1212c_firmware::::::::
siemens	simatic_s7-1200_cpu_1214c_firmware	<= 4.0	cpe:2.3:o:siemens:simatic_s7-1200_cpu_1214c_firmware::::::::
siemens	simatic_s7-1200_cpu_1215c_firmware	<= 4.0	cpe:2.3:o:siemens:simatic_s7-1200_cpu_1215c_firmware::::::::
siemens	simatic_s7-1200_cpu_1217c_firmware	<= 4.0	cpe:2.3:o:siemens:simatic_s7-1200_cpu_1217c_firmware::::::::
siemens	simatic_s7-1500_cpu_1518_firmware	—	cpe:2.3:o:siemens:simatic_s7-1500_cpu_1518_firmware::::::::
siemens	simatic_s7-1500_cpu_1511c_firmware	—	cpe:2.3:o:siemens:simatic_s7-1500_cpu_1511c_firmware::::::::
siemens	simatic_s7-1500_cpu_1512c_firmware	—	cpe:2.3:o:siemens:simatic_s7-1500_cpu_1512c_firmware::::::::
siemens	simatic_net_pc	< 16	cpe:2.3:a:siemens:simatic_net_pc::::::::
siemens	simatic_s7-1500	—	cpe:2.3:a:siemens:simatic_s7-1500::::::::
siemens	simatic_s7-plcsim_advanced	—	cpe:2.3:a:siemens:simatic_s7-plcsim_advanced::::::::
siemens	simatic_step_7	< 16	cpe:2.3:a:siemens:simatic_step_7::::::::
siemens	simatic_wincc	< 16	cpe:2.3:a:siemens:simatic_wincc::::::::
siemens	simatic_wincc_open_architecture	<= 3.15	cpe:2.3:a:siemens:simatic_wincc_open_architecture::::::::
siemens	simatic_wincc_open_architecture	3.16	cpe:2.3:a:siemens:simatic_wincc_open_architecture:3.16:-::::::
siemens	simatic_wincc_open_architecture	3.16	cpe:2.3:a:siemens:simatic_wincc_open_architecture:3.16:patch_12::::::
siemens	simatic_wincc_runtime	—	cpe:2.3:a:siemens:simatic_wincc_runtime:::::advanced:::*
siemens	simatic_wincc_runtime	—	cpe:2.3:a:siemens:simatic_wincc_runtime:::::professional:::*
siemens	simatic_cp_1626_firmware	—	cpe:2.3:o:siemens:simatic_cp_1626_firmware::::::::
siemens	simatic_tim_1531_irc_firmware	< 2.1	cpe:2.3:o:siemens:simatic_tim_1531_irc_firmware::::::::
siemens	simatic_hmi_panel_firmware	—	cpe:2.3:o:siemens:simatic_hmi_panel_firmware::::::::

References for CVE-2019-10929

URL	Tags
https://cert-portal.siemens.com/productcert/pdf/ssa-232418.pdf	Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-273799.pdf	Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-19-344-04	Third Party Advisory US Government Resource

URL

CVE-2019-10929

Exploit prediction scoring system (EPSS) score for CVE-2019-10929

Common vulnerability scoring system (CVSS) metrics for CVE-2019-10929

Weakness enumeration for CVE-2019-10929

Affected software / configurations for CVE-2019-10929

References for CVE-2019-10929