Siemens SIMATIC Panels

Plan Patch7.5ICS-CERT ICSA-18-317-08Nov 13, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens SIMATIC HMI panels and WinCC runtime servers contain path traversal (CWE-22) and open redirect (CWE-601) vulnerabilities in their integrated web servers. An unauthenticated attacker with network access to the device can read sensitive files or redirect users to malicious sites. The vulnerabilities affect WinCC Runtime Professional, WinCC (TIA Portal), Classic HMI Devices (TP/MP/OP/MP Mobile Panel), Comfort Panels 4"-22", Outdoor Panels 7"-15", KTP Mobile Panels, and WinCC Runtime Advanced. Web server is disabled by default on most models but is reachable if enabled.

What this means

What could happen

An attacker could read sensitive information from HMI panels and WinCC runtime servers over the network, including configuration details, process data, or credentials stored in memory. This could expose operational setpoints, alarm thresholds, or other sensitive engineering information without modifying it.

Who's at risk

Manufacturing facilities using Siemens SIMATIC HMI panels (WinCC, Comfort Panels, Classic Devices, KTP Mobile Panels) and WinCC runtime servers should assess their exposure. This affects any organization running these SCADA/HMI interfaces, particularly those with web server functionality enabled on shop floor devices.

How it could be exploited

An attacker sends a crafted HTTP request to the web server integrated in WinCC or HMI panel devices. The request exploits path traversal or open redirect vulnerabilities to access files or redirect users to malicious sites. Network access to the device's web service (typically port 80/443) is required.

Prerequisites

Network access to the device's HTTP/HTTPS port (80/443)
Web server must be enabled on the target device (disabled by default on most models)
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackAffects information confidentiality (high CVSS 7.5)No fix available for several product families (Classic Devices, WinCC TIA Portal, KTP Mobile Panels KTP400F KTP700)Multiple Siemens product families affected

Exploitability

Moderate exploit probability (EPSS 7.9%)

Affected products (7)

5 with fix2 EOL

ProductAffected VersionsFix Status

SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants): All<V15 Update 4V15_Update_4

SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants): All<V15 Update 4V15_Update_4

SIMATIC HMI KTP Mobile Panels KTP400F KTP700KTP700No fix (EOL)

SIMATIC WinCC Runtime Advanced: All<V15 Update 4V15_Update_4

SIMATIC WinCC Runtime Professional: All<V15 Update 4V15_Update_4

SIMATIC HMI Classic Devices - TP/MP/OP/MP Mobile Panel (incl. SIPLUS variants): All versionsAll versionsNo fix (EOL)

SIMATIC WinCC (TIA Portal): All<V15 Update 4V15_Update_4

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDeactivate the integrated web server if it is not required for operations

WORKAROUNDRestrict network access to the web server using firewall rules or network segmentation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SIMATIC WinCC (TIA Portal): All

HOTFIXUpdate SIMATIC WinCC (TIA Portal) to v15 Update 4 or newer, then update panel to v15 Update 4 or newer

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SIMATIC HMI KTP Mobile Panels KTP400F KTP700, SIMATIC HMI Classic Devices - TP/MP/OP/MP Mobile Panel (incl. SIPLUS variants): All versions. Apply the following compensating controls:

HARDENINGLocate HMI and WinCC devices behind firewalls and isolate them from the business network

HARDENINGIf remote access is required, use secure methods such as VPNs

CVEs (2)

CVE-2018-13812 CVE-2018-13813

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e44dc7bb-1861-4e09-9007-7cad9f54c354