Siemens SIMATIC HMI Products (Update A)

Monitor6.5ICS-CERT ICSA-20-252-06Sep 8, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC HMI Products are affected by password discovery and brute-force authentication bypass vulnerabilities (CWE-307, CWE-305). A remote attacker without authentication can discover user passwords and gain unauthorized access to the Sm@rt Server through weak password handling and insufficient rate limiting on login attempts.

What this means

What could happen

An attacker could discover operator passwords and gain remote access to HMI systems, allowing them to view process data, modify settings, or trigger alarms without authorization. This could disrupt visualization and control of industrial processes across manufacturing plants.

Who's at risk

Manufacturing plants operating Siemens SIMATIC HMI systems, including Basic Panels, Comfort Panels, Mobile Panels, and Unified Comfort Panels. This affects operators and engineers who rely on these interfaces for process monitoring and control. Any facility using these panels for production oversight is exposed.

How it could be exploited

An attacker on the network sends rapid login requests to the Sm@rt Server with common passwords or dictionary lists. Due to insufficient brute-force protection (CWE-307) and weak password handling (CWE-305), the attacker can discover valid credentials and gain access to the HMI interface and underlying process controls.

Prerequisites

Network access to the HMI device or Sm@rt Server port (typically TCP 102 for S7 or web interface ports)
The HMI system must be reachable from the attacker's network segment
No requirement for existing credentials to initiate brute-force attack

remotely exploitableno authentication requiredlow complexitypassword discovery vulnerabilitybrute-force attack possible

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants)<V1616 Update 3

SIMATIC HMI Comfort Panels (incl. SIPLUS variants)≤ V1616 Update 3

SIMATIC HMI Mobile Panels≤ V1616 Update 3

SIMATIC HMI Unified Comfort Panels≤ V1616 Update 5

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDFor Unified Comfort Panels using SmartClient, use complex passwords of maximum length (8+ characters recommended, though truncated to 8 by RFC 6143 limitation)

HARDENINGImplement network access controls and firewall rules to restrict access to HMI ports from authorized networks only

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SIMATIC HMI Mobile Panels

HOTFIXUpdate SIMATIC HMI Mobile Panels to v16 Update 3 or later

SIMATIC HMI Unified Comfort Panels

HOTFIXUpdate SIMATIC HMI Unified Comfort Panels to v16 Update 5 or later

All products

HOTFIXUpdate SIMATIC HMI Basic Panels 2nd Generation to v16 Update 3 or later

HOTFIXUpdate SIMATIC HMI Comfort Panels to v16 Update 3 or later

Long-term hardening

0/1

HARDENINGApply defense-in-depth strategies including network segmentation between corporate IT and OT environments

CVEs (2)

CVE-2020-15786 CVE-2020-15787

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e22442d0-35b5-4d21-89fa-eabe94917b0d