OTPulse

Siemens SIMATIC HMI Comfort Panels & SIMATIC HMI KTP Mobile Panels

Plan PatchCVSS 8.1ICS-CERT ICSA-21-033-02Jan 28, 2021
SiemensManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

SIMATIC HMI Comfort Panels and SIMATIC HMI KTP Mobile Panels contain an authentication bypass vulnerability (CWE-306) that allows remote attackers to access and control the panels without valid credentials. The vulnerability exists in firmware versions prior to V16 Update 3a. Affected devices include all Comfort Panel variants and KTP Mobile Panel models running these older firmware versions. An attacker could exploit this to manipulate process parameters, stop operations, or exfiltrate sensitive operational data.

What this means
What could happen
An attacker could gain unauthorized access to HMI panels over the network without credentials and execute arbitrary commands, potentially altering process parameters, stopping operations, or viewing sensitive information on manufacturing systems.
Who's at risk
Manufacturing facilities using Siemens SIMATIC HMI Comfort Panels or KTP Mobile Panels for monitoring and controlling production processes. This includes any automation, packaging, assembly, or process control environment where these touchscreen/display interfaces manage PLCs or other controllers.
How it could be exploited
An attacker on the network sends a crafted request to an unpatched HMI panel (without authentication required by the vulnerable code path). The panel accepts the request and allows command execution or unauthorized access, giving the attacker control over the human-machine interface and the underlying automation processes it manages.
Prerequisites
  • Network access to the HMI panel (typically Ethernet on port 80, 443, or proprietary protocol)
  • HMI panel running firmware version earlier than V16 Update 3a
  • If Telnet is enabled (non-default), Telnet port 23 access
Remotely exploitableNo authentication requiredLow complexity attackAffects control interfaces to production systemsHigh CVSS score (8.1)
Exploitability
Some exploitation risk — EPSS score 1.7%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
SIMATIC HMI Comfort Panels (incl.'SIPLUS variants): All<V16 Update 3a16 Update 3a
SIMATIC HMI KTP Mobile Panels: All<V16 Update 3a16 Update 3a
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDDisable Telnet on HMI panels (verify it is not enabled, as it is disabled by default)
HARDENINGRestrict network access to HMI panels using firewalls; block inbound connections from untrusted networks and the Internet
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC HMI Comfort Panels and SIMATIC HMI KTP Mobile Panels firmware to V16 Update 3a or later
Long-term hardening
0/2
HARDENINGIsolate control system networks from the business network using network segmentation
HARDENINGIf remote access to HMI panels is required, implement secure VPN access with current patches and use strong authentication
View full CISA ICS-CERT advisory
API: /api/v1/advisories/4aa074c3-521e-4907-850c-8154d870008b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens SIMATIC HMI Comfort Panels & SIMATIC HMI KTP Mobile Panels | CVSS 8.1 - OTPulse