Siemens SINAMICS Medium Voltage Products Remote Access (Update B)

Plan PatchCVSS 9.8ICS-CERT ICSA-21-131-04May 11, 2021

SiemensManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SINAMICS medium voltage products with Sm@rtServer enabled on SIMATIC comfort HMI Panels contain multiple vulnerabilities (CWE-665, CWE-125, CWE-122, CWE-121, CWE-788, CWE-170, CWE-770, CWE-400, CWE-401) that allow an attacker to gain full remote access to the HMI and control the drives. By default Sm@rtServer is disabled, but system integrators may enable it. Affected models include SINAMICS GH150, GL150 (with option X30), GM150 (with option X30), SH150, SL150, SM120, SM150, and SM150i across all versions. Siemens recommends protecting network access with appropriate mechanisms and following Industrial Security operational guidelines.

What this means

What could happen

An attacker with network access to a SINAMICS medium voltage drive with Sm@rtServer enabled could gain full remote control of the HMI panel, potentially allowing them to alter process parameters, stop operations, or disable safety functions on industrial motor drives.

Who's at risk

Manufacturing facilities operating Siemens SINAMICS medium voltage motor drives (GH150, GL150, GM150, SH150, SL150, SM120, SM150, SM150i) with SIMATIC comfort HMI panels that have Sm@rtServer enabled. This affects any site using these drives for critical motor control in processes like pumps, compressors, fans, or conveyor systems where unexpected control loss or parameter modification could cause harm or downtime.

How it could be exploited

An attacker on the network sends a crafted request to the Sm@rtServer interface (enabled on SIMATIC comfort HMI Panels). Due to multiple memory safety and input validation flaws, the attacker can bypass authentication and execute arbitrary code on the HMI panel, gaining full remote access to the drive control system.

Prerequisites

Network access to the SINAMICS device's Sm@rtServer port (typically port 502 or Ethernet interface)
Sm@rtServer must be enabled on the SIMATIC comfort HMI Panel (disabled by default, but may be enabled by integrator)
Device must be SINAMICS medium voltage model (GH150, GL150, GM150, SH150, SL150, SM120, SM150, or SM150i)

Remotely exploitable without authenticationLow complexity attackHigh CVSS score (9.8 critical)No patch currently availableMultiple memory safety vulnerabilities (CWE-125, CWE-122, CWE-121, CWE-788)Affects industrial motor control systems

Exploitability

Some exploitation risk — EPSS score 5.4%

Affected products (8)

8 EOL

ProductAffected VersionsFix Status

SINAMICS GH150All versionsNo fix (EOL)

SINAMICS GL150 (with option X30)All versionsNo fix (EOL)

SINAMICS GM150 (with option X30)All versionsNo fix (EOL)

SINAMICS SH150All versionsNo fix (EOL)

SINAMICS SL150All versionsNo fix (EOL)

SINAMICS SM120All versionsNo fix (EOL)

SINAMICS SM150All versionsNo fix (EOL)

SINAMICS SM150iAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGVerify whether Sm@rtServer is enabled on your SIMATIC comfort HMI panels; if not needed, ensure it remains disabled

HARDENINGIf Sm@rtServer must be enabled, implement network segmentation and firewall rules to restrict access to the HMI panel from only trusted engineering workstations and control networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGFollow Siemens' operational guidelines for Industrial Security to protect network access to SINAMICS devices with appropriate mechanisms (authentication, encryption, VPN, access controls)

HOTFIXMonitor Siemens security advisories closely for patches; contact your Siemens representative to inquire about available updates for your specific SINAMICS product versions

CVEs (14)

CVE-2019-8259 CVE-2019-8260 CVE-2019-8261 CVE-2019-8262 CVE-2019-8263 CVE-2019-8264 CVE-2019-8265 CVE-2019-8275 CVE-2019-8277 CVE-2019-8280 CVE-2021-27383 CVE-2021-27384 CVE-2021-27385 CVE-2021-27386

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3c7cbefe-a83d-4e60-a7cd-5046b1092f0e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.