OTPulse

Siemens SIMATIC Panels

Plan PatchCVSS 7.5ICS-CERT ICSA-18-317-08Nov 13, 2018
SiemensManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Siemens SIMATIC HMI panels and WinCC runtime servers contain path traversal (CWE-22) and open redirect (CWE-601) vulnerabilities in their integrated web servers. An unauthenticated attacker with network access to the device can read sensitive files or redirect users to malicious sites. The vulnerabilities affect WinCC Runtime Professional, WinCC (TIA Portal), Classic HMI Devices (TP/MP/OP/MP Mobile Panel), Comfort Panels 4"-22", Outdoor Panels 7"-15", KTP Mobile Panels, and WinCC Runtime Advanced. Web server is disabled by default on most models but is reachable if enabled.

What this means
What could happen
An attacker could read sensitive information from HMI panels and WinCC runtime servers over the network, including configuration details, process data, or credentials stored in memory. This could expose operational setpoints, alarm thresholds, or other sensitive engineering information without modifying it.
Who's at risk
Manufacturing facilities using Siemens SIMATIC HMI panels (WinCC, Comfort Panels, Classic Devices, KTP Mobile Panels) and WinCC runtime servers should assess their exposure. This affects any organization running these SCADA/HMI interfaces, particularly those with web server functionality enabled on shop floor devices.
How it could be exploited
An attacker sends a crafted HTTP request to the web server integrated in WinCC or HMI panel devices. The request exploits path traversal or open redirect vulnerabilities to access files or redirect users to malicious sites. Network access to the device's web service (typically port 80/443) is required.
Prerequisites
  • Network access to the device's HTTP/HTTPS port (80/443)
  • Web server must be enabled on the target device (disabled by default on most models)
  • No authentication required
Remotely exploitableNo authentication requiredLow complexity attackAffects information confidentiality (high CVSS 7.5)No fix available for several product families (Classic Devices, WinCC TIA Portal, KTP Mobile Panels KTP400F KTP700)Multiple Siemens product families affected
Exploitability
Some exploitation risk — EPSS score 7.9%
Affected products (7)
5 with fix2 EOL
ProductAffected VersionsFix Status
SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants): All<V15 Update 4V15_Update_4
SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants): All<V15 Update 4V15_Update_4
SIMATIC HMI KTP Mobile Panels KTP400F KTP700KTP700No fix (EOL)
SIMATIC WinCC Runtime Advanced: All<V15 Update 4V15_Update_4
SIMATIC WinCC Runtime Professional: All<V15 Update 4V15_Update_4
SIMATIC HMI Classic Devices - TP/MP/OP/MP Mobile Panel (incl. SIPLUS variants): All versionsAll versionsNo fix (EOL)
SIMATIC WinCC (TIA Portal): All<V15 Update 4V15_Update_4
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDDeactivate the integrated web server if it is not required for operations
WORKAROUNDRestrict network access to the web server using firewall rules or network segmentation
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

SIMATIC WinCC (TIA Portal): All
HOTFIXUpdate SIMATIC WinCC (TIA Portal) to v15 Update 4 or newer, then update panel to v15 Update 4 or newer
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: SIMATIC HMI KTP Mobile Panels KTP400F KTP700, SIMATIC HMI Classic Devices - TP/MP/OP/MP Mobile Panel (incl. SIPLUS variants): All versions. Apply the following compensating controls:
HARDENINGLocate HMI and WinCC devices behind firewalls and isolate them from the business network
HARDENINGIf remote access is required, use secure methods such as VPNs
View full CISA ICS-CERT advisory
API: /api/v1/advisories/e44dc7bb-1861-4e09-9007-7cad9f54c354

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens SIMATIC Panels | CVSS 7.5 - OTPulse