Siemens has released a sweeping security advisory covering an OpenSSL vulnerability that crept into more than a hundred industrial networking, automation, and communications products. The flaw, tracked as CVE-2021-3712, can be triggered remotely and could allow attackers to crash devices or read sensitive data from memory. For a handful of affected products, Siemens says no patch is planned.
Why This Bug Matters for Industrial Networks
The vulnerability lies in OpenSSL’s handling of ASN.1 strings, a common data format used in certificates and cryptographic protocols. When a device processes a specially crafted ASN.1 structure without a trailing NUL byte, an out-of-bounds read can occur. That means an attacker could either crash the service (denial of service) or peek at adjacent memory contents—potentially exposing private keys, session secrets, or other sensitive data.
On a factory floor, a crash could halt production. In a power grid or water treatment plant, a memory disclosure might arm an attacker for deeper compromise. The CVSS v3.1 score of 7.4 puts this in the “high” severity bucket, and while no public exploits were reported at the time of the advisory, the attack complexity is only “high” — not out of reach for a determined adversary.
The Products at Risk
The advisory, Siemens ProductCERT SSA-244969, lists affected devices across six product families: SCALANCE X switches, RUGGEDCOM ROX routers, SIMATIC CP communication processors, SINEMA management servers, Industrial Edge apps, and many more. A full inventory is available on Siemens’ advisory page, but the key groups are:
- SCALANCE X switches and routers: Dozens of models in the X200, X300, XR300, and M800 series need firmware updates to versions like V4.1.4, V5.2.6, V5.5.2, or V7.1.
- RUGGEDCOM ROX and MX devices: Affected RX1400, RX1500, RX1510, RX1524, RX1536, RX5000, and MX5000 models must move to V2.15.0 or later.
- SIMATIC CP modules: CP 1242-7 V2, CP 1243-1, CP 1243-7 LTE, CP 1243-8 IRC, CP 1542SP-1, CP 1543-1, CP 1543SP-1, and CP 1545-1 all have fixed firmware versions (e.g., V3.3.46, V2.2.28, V3.0.22, V1.1).
- Industrial Edge apps: The PROFINET IO Connector is patchable (update to V1.1.1 via the Edge Management System). However, the Machine Insight App is listed with “no fix planned.”
- Other software: SINEC NMS, SINEMA Remote Connect Server, SIMATIC Process Historian OPC UA Server, TIA Administrator, and several SCALANCE W wireless access points also require updates. For older W-series models like the W721, W722, W734, and W748, no fix is planned.
In total, Siemens confirmed that fixes are available for most of the product lines, but the dead ends—especially the Machine Insight App and a raft of legacy Wi-Fi gear—mean some operators must rely solely on compensating controls.
The Upstream Fix and the Long Tail
OpenSSL fixed this bug in August 2021 with releases 1.1.1l and 1.0.2za. The fact that Siemens is only now, in early 2025, issuing a consolidated advisory for dozens of embedded products underscores the painful reality of industrial patching: firmware integration, testing, and certification take months or years. Meanwhile, the CISA advisory (ICSA-25-259-05) notes that after January 2023, CISA stopped updating Siemens advisories beyond the initial publication. Operators must now monitor Siemens’ own ProductCERT page for the latest information, including any late-breaking patches or revisions.
What This Means for You
If you manage an OT network, the first step is to breathe—do not rush a plant-wide update without testing. But start your inventory immediately. The advisory provides exact SKU numbers and fixed firmware baselines, so you can cross‑reference what’s in your racks with what needs to change. Prioritize devices that are internet-facing or process external certificates (like VPN gateways, remote access servers, or OPC UA endpoints). Even if a device isn’t directly reachable from the internet, an attacker who has already gained a foothold in your IT network could exploit this bug to pivot.
For home users and small offices, the risk is minimal: you’re unlikely to run a SIMATIC controller or a RUGGEDCOM router at home. But if you use Siemens networking gear for any reason, check the advisory list.
For Windows IT teams supporting OT, this is a reminder that your engineering workstations are a critical attack surface. Ensure that any Windows machine used to upload firmware or manage devices is fully patched, runs with least privilege, and is isolated from the general office network. An attacker who compromises an engineering PC could feed malicious certificates to supposedly protected industrial devices.
How We Got Here
The bug dates back to a fundamental assumption in OpenSSL’s code: many internal functions assume that ASN1_STRING byte arrays are always NUL-terminated, like a standard C string. But the library’s own ASN1_STRING_set0() function can create non-NUL-terminated strings, and directly setting the structure’s data and length fields has the same effect. When such strings are fed to certificate parsing, name constraint checking, or logging routines, a buffer over-read occurs. Upstream fixes were available within days, but Siemens’ distributed product ecosystem required a long coordination tail. The advisory itself, SSA-244969, likely went through multiple revisions as vendors validated fixes for each firmware variant.
What to Do Now
CISA and Siemens both urge a layered defense. Here’s a practical plan:
- Inventory everything: Scan your network for Siemens SKUs. Use management consoles (Siemens’ Edge Management System, SINEC, or device-specific tools) to pull firmware versions.
- Identify urgent targets: Devices that accept TLS connections, process OCSP requests, or import user-supplied certificates are the most exposed. Also flag any device with no planned fix (the Machine Insight App, older SCALANCE W).
- Test patches in a lab: Firmware updates can break interoperability—especially for PROFINET, OPC UA, or custom automation protocols. Validate a representative set of devices before broad rollout.
- Deploy updates: Push fixes through change-controlled maintenance windows, starting with the highest-priority gear.
- Isolate unfixable devices: For the Machine Insight App and legacy Wi-Fi equipment, segment them into dedicated VLANs with strict ACLs. If possible, decommission them. “No fix planned” is a statement that the component should be removed, not ignored.
- Harden engineering stations: Apply security baselines, disable direct internet access, and use jump hosts for remote maintenance.
- Monitor aggressively: Raise logging verbosity for TLS and certificate events. Watch for unusual crashes, certificate parsing errors, or repeated OCSP failures. Set up SIEM alerts for these patterns.
The Patch Table: Key Fixed Firmware Versions
| Product Line | Example Models | Fixed Version |
|---|---|---|
| SCALANCE X (IRM, IRT, PRO, FE) | X200-4P IRT, X204IRT, X202-2IRT, XF201-3P IRT | V5.5.2 |
| SCALANCE X (standard managed) | X204-2, X206-1, X208, X216, X224, XF204, XF208 | V5.2.6 |
| SCALANCE X (high-end modular) | X302-7 EEC, X308-2, X320-1 FE, XR324-12M, XR324-4M EEC | V4.1.4 |
| SCALANCE M & S security appliances | M804PB, M812-1, M826-2, M874-3, M876-4, S615 | V7.1 |
| SCALANCE SC industrial firewalls | SC622-2C, SC636-2C, SC646-2C | V2.3 |
| SCALANCE W wireless access points (newer) | WAM766-1, WUM766-1, W1748-1, W1788-2 | V1.2 (WAM/WUM), V3.0.0 (17xx/18xx) |
| RUGGEDCOM ROX / MX | RX1400, RX1500, RX1510, RX1524, RX1536, RX5000, MX5000 | V2.15.0 |
| RUGGEDCOM RM1224 cellular | RM1224 EU/NAM | V7.1 |
| SIMATIC CP 124x, 154x | CP 1242-7 V2, CP 1243-1, CP 1243-7 LTE, CP 1542SP-1, CP 1543-1, CP 1545-1 | V3.3.46, V2.2.28, V3.0.22, V1.1 |
| SIMATIC S7-1200 CPUs | S7-1200 family (incl. SIPLUS) | V4.5.2 |
| SINEC NMS, SINEMA RC Server | — | V1.0.3, V3.1 |
| SIMATIC Process Historian OPC UA | — | V2020 SP1 |
| Industrial Edge – PROFINET IO Connector | — | V1.1.1 |
| TIA Administrator | — | V1.0 SP7 |
Note: This table is illustrative. Always verify the exact SKU against Siemens’ SSA-244969.
Outlook
The industrial security landscape rarely moves quickly, but Siemens’ advisory has injected urgency into what was, until now, a largely dormant CVE. Operators who still run unpatched devices should treat this as a priority item for their next maintenance window. The more troubling signal is the handful of “no fix planned” entries. Vendors sometimes sunset older hardware, but leaving a known memory-disclosure bug in a currently marketed application like Industrial Edge Machine Insight App will force customers to choose between accepting risk, isolating the software, or switching to an alternative—possibly from a competitor.
CISA’s recommendation to adopt defense-in-depth—segment networks, lock down remote access, and harden management systems—remains the best fallback. But ultimately, the only true fix is a vendor patch. Siemens has delivered that for most products; for the rest, it’s time to plan a retirement party.