The vulnerability works as follows:
: The S7-300 stores the project password directly on the MMC. Because the MMC uses a proprietary format (not standard FAT), Windows cannot read it directly, but hex editors can. Historic Method : simatic s7 200 s7 300 mmc password unlock 2006 09 11
Insert the MMC into a standard card reader (do format it if Windows asks). The vulnerability works as follows: : The S7-300