CVE-2020-28397 [Medium] | Security Vulnerability in Cpu 1504d Tf Firmware

A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions < V21.9), SIMATIC S7 PLCSIM Advanced (All versions > V2 < V4), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (Version V4.4), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions > V2.5 < V2.9.2), SIMATIC S7-1500 Software Controller (All versions > V2.5 < V21.9), TIM 1531 IRC (incl. SIPLUS NET variants) (Version V2.1). Due to an incorrect authorization check in the affected component, an attacker could extract information about access protected PLC program variables over port 102/tcp from an affected device when reading multiple attributes at once.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.18%	0.75%	+0.57%
2	2025-03-30	0.29%	0.18%	-0.10%
3	2025-03-29	—	0.29%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.18%

0.75%

+0.57%

2025-03-30

0.29%

0.18%

-0.10%

2025-03-29

—

0.29%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.3	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	3.9	1.4	[email protected]
5.0	2.0	MEDIUM	`AV:N/AC:L/Au:N/C:P/I:N/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:N) No availability impact.	10.0	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.3

3.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

3.9

1.4

[email protected]

5.0

2.0

MEDIUM

AV:N/AC:L/Au:N/C:P/I:N/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:N): No integrity impact.
Availability impact (A:N): No availability impact.

10.0

2.9

[email protected]

Affected software / configurations for CVE-2020-28397

Vendor	Product	Version	Raw CPE
siemens	cpu_1504d_tf_firmware	< 2.9.2	cpe:2.3:o:siemens:cpu_1504d_tf_firmware::::::::
siemens	cpu_1507d_tf_firmware	< 2.9.2	cpe:2.3:o:siemens:cpu_1507d_tf_firmware::::::::
siemens	cpu_1515sp_pc2_tf_firmware	< 21.9	cpe:2.3:o:siemens:cpu_1515sp_pc2_tf_firmware::::::::
siemens	simatic_s7_plcsim_advanced_firmware	>= 2.0, < 4.0	cpe:2.3:o:siemens:simatic_s7_plcsim_advanced_firmware::::::::
siemens	simatic_s7-1500_software_controller	>= 2.5, < 21.9	cpe:2.3:a:siemens:simatic_s7-1500_software_controller::::::::
siemens	tim_1531_irc_firmware	2.1	cpe:2.3:o:siemens:tim_1531_irc_firmware:2.1:::::::*
siemens	cpu_1211c_firmware	4.4	cpe:2.3:o:siemens:cpu_1211c_firmware:4.4:::::::*
siemens	cpu_1212c_firmware	4.4	cpe:2.3:o:siemens:cpu_1212c_firmware:4.4:::::::*
siemens	cpu_1212fc_firmware	4.4	cpe:2.3:o:siemens:cpu_1212fc_firmware:4.4:::::::*
siemens	cpu_1214fc_firmware	4.4	cpe:2.3:o:siemens:cpu_1214fc_firmware:4.4:::::::*
siemens	cpu_1214c_firmware	4.4	cpe:2.3:o:siemens:cpu_1214c_firmware:4.4:::::::*
siemens	cpu_1215fc_firmware	4.4	cpe:2.3:o:siemens:cpu_1215fc_firmware:4.4:::::::*
siemens	cpu_1215c_firmware	4.4	cpe:2.3:o:siemens:cpu_1215c_firmware:4.4:::::::*
siemens	cpu_1217c_firmware	4.4	cpe:2.3:o:siemens:cpu_1217c_firmware:4.4:::::::*
siemens	siplus_cpu_1510sp_f-1pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:siplus_cpu_1510sp_f-1pn_firmware::::::::
siemens	siplus_cpu_1511-1_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:siplus_cpu_1511-1_pn_firmware::::::::
siemens	siplus_cpu_1511f-1_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:siplus_cpu_1511f-1_pn_firmware::::::::
siemens	siplus_cpu_1512sp-1_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:siplus_cpu_1512sp-1_pn_firmware::::::::
siemens	siplus_cpu_1512sp_f-1pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:siplus_cpu_1512sp_f-1pn_firmware::::::::
siemens	siplus_cpu_1513-1_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:siplus_cpu_1513-1_pn_firmware::::::::
siemens	siplus_cpu_1513f-1_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:siplus_cpu_1513f-1_pn_firmware::::::::
siemens	siplus_cpu_1516-3_pn\/dp_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:siplus_cpu_1516-3_pn\/dp_firmware::::::::
siemens	siplus_cpu-1516f-3_pn\/dp_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:siplus_cpu-1516f-3_pn\/dp_firmware::::::::
siemens	siplus_cpu_1518-4_pn\/dp_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:siplus_cpu_1518-4_pn\/dp_firmware::::::::
siemens	siplus_cpu_1518f-4_pn\/dp_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:siplus_cpu_1518f-4_pn\/dp_firmware::::::::
siemens	cpu_1510sp-1pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1510sp-1pn_firmware::::::::
siemens	cpu1510sp_f-1_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu1510sp_f-1_firmware::::::::
siemens	cpu_1511-1pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1511-1pn_firmware::::::::
siemens	cpu_1511c-1_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1511c-1_pn_firmware::::::::
siemens	cpu_1511f-1pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1511f-1pn_firmware::::::::
siemens	cpu_1511t-1pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1511t-1pn_firmware::::::::
siemens	cpu_1511tf-1pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1511tf-1pn_firmware::::::::
siemens	cpu_1512c-1_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1512c-1_pn_firmware::::::::
siemens	cpu_1512sp-1_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1512sp-1_pn_firmware::::::::
siemens	cpu_1512sp_f-1_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1512sp_f-1_pn_firmware::::::::
siemens	cpu_1513-1_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1513-1_pn_firmware::::::::
siemens	cpu_1513f-1_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1513f-1_pn_firmware::::::::
siemens	cpu_1513r-1_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1513r-1_pn_firmware::::::::
siemens	cpu_1513pro_f-2_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1513pro_f-2_pn_firmware::::::::
siemens	cpu_1515-2_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1515-2_firmware::::::::
siemens	cpu_1515f-2_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1515f-2_firmware::::::::
siemens	cpu_1515r-2_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1515r-2_pn_firmware::::::::
siemens	cpu_1515t-2_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1515t-2_pn_firmware::::::::
siemens	cpu_1515tf-2_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1515tf-2_pn_firmware::::::::
siemens	cpu_1516pro_f-2_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1516pro_f-2_pn_firmware::::::::
siemens	cpu_1516pro-2_pn_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1516pro-2_pn_firmware::::::::
siemens	cpu_1516-3_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1516-3_firmware::::::::
siemens	cpu_1516f-3_firmware	>= 2.5, < 2.9.2.	cpe:2.3:o:siemens:cpu_1516f-3_firmware::::::::
siemens	cpu_1516t-3_pn\/dp_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1516t-3_pn\/dp_firmware::::::::
siemens	cpu_1516tf-3_pn\/dp_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1516tf-3_pn\/dp_firmware::::::::
siemens	cpu_1517-3_pn\/dp_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1517-3_pn\/dp_firmware::::::::
siemens	cpu_1517f-3_pn\/dp_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1517f-3_pn\/dp_firmware::::::::
siemens	cpu_1517t-3_pn\/dp_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1517t-3_pn\/dp_firmware::::::::
siemens	cpu_1517tf-3_pn\/dp_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1517tf-3_pn\/dp_firmware::::::::
siemens	cpu_1518-4_pn\/dp_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1518-4_pn\/dp_firmware::::::::
siemens	cpu_1518f-4_pn\/dp_firmware	>= 2.5, < 2.9.2	cpe:2.3:o:siemens:cpu_1518f-4_pn\/dp_firmware::::::::

References for CVE-2020-28397

URL	Tags
https://cert-portal.siemens.com/productcert/pdf/ssa-865327.pdf	Patch Vendor Advisory

URL

CVE-2020-28397

Exploit prediction scoring system (EPSS) score for CVE-2020-28397

Common vulnerability scoring system (CVSS) metrics for CVE-2020-28397

Weakness enumeration for CVE-2020-28397

Affected software / configurations for CVE-2020-28397

References for CVE-2020-28397