Talos Vulnerability Report


Siemens LOGO! TDE service "DELETEPROG" Denial of Service Vulnerability

June 9, 2020
CVE Number



An exploitable denial of service vulnerability exists in the TDE service functionality of Siemens LOGO! 1.82.02, 12/24RCE Version 0BA and 230RCE Version 0BA. A specially crafted network request can cause erased information resulting in a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

Tested Versions

Siemens LOGO! 1.82.02
Siemens LOGO! 12/24RCE Version 0BA
Siemens LOGO! 230RCE Version 0BA

Product URLs


CVSSv3 Score

9.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H


CWE-306 - Missing Authentication for Critical Function


Siemens LOGO! is an intelligent logic module (PLC) meant for automation projects such as industrial control systems, office/commercial and home settings. It is deployed worldwide and can be control remotely.

The LOGO System program can be completely erased through the TDE service port 135/TCP using the “DELETEPROG” function. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 135/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts integrity of the device. The Payload used was the following:

Structure of payload message sent:

\x4B\xc0\x01\xe0 # Start of message: Signature, Version, ClientVersion, Sync Flag, Return Flag, Request Flag
\x00\x00\x00\x00 # Context
\x00\x00\x00\x00 # Session
\x44\x45\x4c\x45 # DELETEPROG command
\x00\x10\x27\x00 # Timeout

We were able to identify this vulnerability on firmware 1.82.02 (released on May 13, 2019).


2020-03-20 - Vendor Disclosure
2020-06-09 - Public Release


Discovered by Alexander Perez-Palma of Cisco Talos and Emanuel Almeida of Cisco Systems, Inc..