Summary
- High-volume multicast traffic can exhaust memory in SIMATIC S7-PLCSIM Advanced and force a manual restart.
- Exploitation requires local network access and a particular project configuration, while Siemens says project data is not lost.
- Operators must restrict multicast traffic or disable unnecessary external communications until corrected versions become available.
Siemens has warned that every version of SIMATIC S7-PLCSIM Advanced is affected by a denial-of-service vulnerability for which no security update is yet available.
CVE-2026-54429 concerns the way the simulation software processes high volumes of multicast traffic. An unauthenticated attacker on the same network segment could send enough traffic to exhaust the application’s available memory, leaving it inaccessible until an operator performs a manual restart.
Successful exploitation requires a particular project configuration to be active. Siemens said the application stops responding but does not lose project data, and assigned the issue a CVSS v3.1 score of 7.4 and a CVSS v4.0 score of 6.0.
SIMATIC S7-PLCSIM Advanced simulates S7-1200, S7-1500, and related programmable logic controllers. It can reproduce controller behaviour and provide network access for testing, including inside virtualised environments, allowing engineers to validate logic and communications before or alongside deployment to physical equipment.
Although the vulnerable software is not a live controller, loss of the simulation environment can interrupt engineering, testing, fault investigation, training, and virtual commissioning. Plants that use simulation to assess changes before introducing them to production may face delays in maintenance, recovery, or operational improvement.
Siemens is preparing corrected versions but has not provided a release date. Its ProductCERT advisory recommends restricting multicast traffic on the network segment hosting the affected software.
Operators can also disable the S7-PLCSIM Virtual Switch binding on the relevant network adapter. According to Siemens, doing so prevents the adapter from entering external communication mode and removes the attack path. Using the default Softbus or PLCSIM network mode also prevents the application from accepting network packets.
Each mitigation needs to be matched to the purpose of the installation. External communication may support co-simulation, integration testing, virtual controllers, or communication with supervisory systems. Disabling it without checking those dependencies could interrupt legitimate engineering workflows, while leaving it enabled without network restrictions preserves the exposure.
With no patch available, the immediate controls sit in network architecture and operating procedures. Asset owners need to identify which instances have external networking enabled, determine which segments can reach them, establish whether multicast is required, and restrict who can change the adapter configuration.
Simulation and engineering platforms frequently sit between enterprise IT and production OT. They may run on centrally managed virtualisation platforms while being maintained by automation teams, equipment vendors, or systems integrators. Monitoring may be limited because the environment is classified as non-production, even though it can contain production logic, configurations, and trusted routes into industrial networks.
Availability requirements should reflect the operational function rather than the label attached to the system. Simulation platforms increasingly support digital commissioning, change testing, and recovery planning where stopping the physical process is expensive, disruptive, or unsafe. An unavailable simulator can delay decisions even when the live controller continues to operate.
Until corrected releases arrive, organisations should document each installation using external communication mode, enforce the multicast restrictions described by Siemens, and confirm that manual restart procedures are available to the relevant engineering teams. Logs and system state should be preserved where an unexplained outage occurs, allowing operators to distinguish hostile traffic from a software or configuration fault.
Once Siemens publishes a corrected version, deployment will still require controlled testing because the software sits directly inside industrial development and commissioning processes. The current mitigations limit network exposure while maintaining essential engineering functions.




