Siemens SINAMICS Medium Voltage Products Remote Access (Update B)
Act Now9.8ICS-CERT ICSA-21-131-04May 11, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SINAMICS medium voltage products with Sm@rtServer enabled on SIMATIC comfort HMI Panels contain multiple vulnerabilities (CWE-665, CWE-125, CWE-122, CWE-121, CWE-788, CWE-170, CWE-770, CWE-400, CWE-401) that allow an attacker to gain full remote access to the HMI and control the drives. By default Sm@rtServer is disabled, but system integrators may enable it. Affected models include SINAMICS GH150, GL150 (with option X30), GM150 (with option X30), SH150, SL150, SM120, SM150, and SM150i across all versions. Siemens recommends protecting network access with appropriate mechanisms and following Industrial Security operational guidelines.
What this means
What could happen
An attacker with network access to a SINAMICS medium voltage drive with Sm@rtServer enabled could gain full remote control of the HMI panel, potentially allowing them to alter process parameters, stop operations, or disable safety functions on industrial motor drives.
Who's at risk
Manufacturing facilities operating Siemens SINAMICS medium voltage motor drives (GH150, GL150, GM150, SH150, SL150, SM120, SM150, SM150i) with SIMATIC comfort HMI panels that have Sm@rtServer enabled. This affects any site using these drives for critical motor control in processes like pumps, compressors, fans, or conveyor systems where unexpected control loss or parameter modification could cause harm or downtime.
How it could be exploited
An attacker on the network sends a crafted request to the Sm@rtServer interface (enabled on SIMATIC comfort HMI Panels). Due to multiple memory safety and input validation flaws, the attacker can bypass authentication and execute arbitrary code on the HMI panel, gaining full remote access to the drive control system.
Prerequisites
- Network access to the SINAMICS device's Sm@rtServer port (typically port 502 or Ethernet interface)
- Sm@rtServer must be enabled on the SIMATIC comfort HMI Panel (disabled by default, but may be enabled by integrator)
- Device must be SINAMICS medium voltage model (GH150, GL150, GM150, SH150, SL150, SM120, SM150, or SM150i)
Remotely exploitable without authenticationLow complexity attackHigh CVSS score (9.8 critical)No patch currently availableMultiple memory safety vulnerabilities (CWE-125, CWE-122, CWE-121, CWE-788)Affects industrial motor control systems
Exploitability
Moderate exploit probability (EPSS 5.4%)
Affected products (8)
8 EOL
ProductAffected VersionsFix Status
SINAMICS GH150All versionsNo fix (EOL)
SINAMICS GL150 (with option X30)All versionsNo fix (EOL)
SINAMICS GM150 (with option X30)All versionsNo fix (EOL)
SINAMICS SH150All versionsNo fix (EOL)
SINAMICS SL150All versionsNo fix (EOL)
SINAMICS SM120All versionsNo fix (EOL)
SINAMICS SM150All versionsNo fix (EOL)
SINAMICS SM150iAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGVerify whether Sm@rtServer is enabled on your SIMATIC comfort HMI panels; if not needed, ensure it remains disabled
HARDENINGIf Sm@rtServer must be enabled, implement network segmentation and firewall rules to restrict access to the HMI panel from only trusted engineering workstations and control networks
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGFollow Siemens' operational guidelines for Industrial Security to protect network access to SINAMICS devices with appropriate mechanisms (authentication, encryption, VPN, access controls)
HOTFIXMonitor Siemens security advisories closely for patches; contact your Siemens representative to inquire about available updates for your specific SINAMICS product versions
CVEs (14)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3c7cbefe-a83d-4e60-a7cd-5046b1092f0e