Siemens SINEMA Remote Connect Server

Plan Patch8.8ICS-CERT ICSA-21-068-04Mar 9, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Siemens SINEMA Remote Connect Server versions prior to 3.0 contain an improper access control vulnerability (CWE-863). The vulnerability allows authenticated users with non-administrative privileges to perform unauthorized administrative actions, including but not limited to: reading or exporting sensitive VPN credentials, modifying remote access templates, and altering system configuration. An attacker with valid user credentials can exploit this to gain unauthorized high-privilege access without needing to compromise admin accounts or exploit additional vulnerabilities. The vulnerability has a CVSS score of 8.8 (High severity) and affects all versions below 3.0.

What this means

What could happen

An attacker with legitimate credentials to SINEMA Remote Connect Server can gain high-privilege access to the device, potentially allowing them to steal remote access credentials, alter system configurations, or disrupt plant connectivity management for VPN and remote engineering access.

Who's at risk

Water and electric utilities, and any industrial facility using Siemens SINEMA Remote Connect Server for secure remote access and VPN management to PLCs, RTUs, and engineering workstations. Affects primarily IT/OT infrastructure managers responsible for remote engineering access.

How it could be exploited

An attacker with valid user account credentials (not necessarily admin) logs into SINEMA Remote Connect Server and exploits an improper access control flaw (CWE-863) to escalate privileges or bypass authorization checks. This allows the attacker to perform administrative actions they should not have permission for, such as exporting stored credentials or modifying VPN templates used by field devices.

Prerequisites

Valid user account credentials for SINEMA Remote Connect Server (non-admin account sufficient)
Network access to the SINEMA server management interface
Vulnerable version installed (v3.0 or earlier)

remotely exploitablelow complexityauthentication required (but non-admin accounts sufficient)high CVSS score (8.8)actively exploited in the field (E:P indicates evidence of PoC)

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

SINEMA Remote Connect Server: All<V3.03.0

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDReview and audit all stored template configurations to detect unauthorized changes; compare current settings against known-good baseline

HARDENINGConfigure syslog server integration to monitor server logs for unauthorized access attempts and configuration changes

HARDENINGAudit all user accounts (privileged and unprivileged) to ensure only trusted personnel have access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SINEMA Remote Connect Server to version 3.0 or later

HARDENINGImplement network access controls to restrict who can reach the SINEMA server management interface (firewall rules, VPN restrictions)

CVEs (2)

CVE-2020-25239 CVE-2020-25240

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/278449b4-2be0-4e1d-ba42-29d00bac9281