Siemens SIMATIC UltraVNC HMI WinCC Products

Plan PatchCVSS 9.8ICS-CERT ICSA-21-131-11May 11, 2021

SiemensManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

UltraVNC vulnerabilities in Siemens SIMATIC HMI panels and WinCC Runtime software allow remote code execution, information disclosure, and denial-of-service attacks via port 5900/TCP. The vulnerabilities stem from memory corruption issues (CWE-125, CWE-122, CWE-121, CWE-788) that can be triggered without authentication or user interaction. Affected versions include Comfort Outdoor Panels 7\" and 15\", Comfort Panels 4\" through 22\", KTP Mobile Panels (KTP400F, KTP700, KTP700F, KTP900, KTP900F), and WinCC Runtime Advanced versions prior to v16 Update 4.

What this means

What could happen

An attacker with network access to the VNC service (port 5900) could execute arbitrary code on Siemens HMI panels or WinCC Runtime, potentially altering operator displays, process setpoints, or halting plant operations.

Who's at risk

Manufacturing facilities using Siemens SIMATIC HMI panels (Comfort Outdoor Panels 7\" and 15\", Comfort Panels 4\" to 22\", KTP Mobile Panels) and WinCC Runtime Advanced software for process visualization and SCADA control. Any facility relying on these panels for operator control and monitoring of manufacturing processes is affected if running firmware versions prior to v16 Update 4.

How it could be exploited

An attacker sends a crafted packet to port 5900/TCP on an exposed HMI panel or WinCC Runtime. No credentials or user interaction is required. The vulnerability in UltraVNC allows memory corruption that leads to remote code execution on the device running the HMI or SCADA software.

Prerequisites

Network access to port 5900/TCP on the HMI device or WinCC Runtime system
Device must be running affected firmware versions (prior to v16 Update 4)

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects HMI/SCADA visualization and controlpartial patch availability (WinCC only)

Exploitability

Some exploitation risk — EPSS score 5.4%

Affected products (4)

1 with fix3 pending

ProductAffected VersionsFix Status

SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants)<V16 Update 4No fix yet

SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants)<V16 Update 4No fix yet

SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F<V16 Update 4No fix yet

SIMATIC WinCC Runtime Advanced<V16 Update 416 Update 4

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDRestrict access to port 5900/TCP to only trusted IP addresses using firewall rules

HARDENINGIsolate HMI and WinCC systems from the internet and untrusted networks

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SIMATIC WinCC Runtime Advanced

HOTFIXUpdate SIMATIC WinCC Runtime Advanced to v16 Update 4 or later

All products

HOTFIXUpdate SIMATIC HMI Comfort Outdoor Panels 7" and 15" to v16 Update 4 or later

HOTFIXUpdate SIMATIC HMI Comfort Panels 4" - 22" to v16 Update 4 or later

HOTFIXUpdate SIMATIC HMI KTP Mobile Panels (KTP400F, KTP700, KTP700F, KTP900, KTP900F) to v16 Update 4 or later

Long-term hardening

0/1

HARDENINGPlace control system networks behind firewalls and separate from business networks

CVEs (10)

CVE-2019-8259 CVE-2019-8260 CVE-2019-8261 CVE-2019-8262 CVE-2019-8263 CVE-2019-8264 CVE-2019-8275 CVE-2019-8277 CVE-2019-8265 CVE-2019-8280

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/528f2df7-8300-45d3-906b-85b82a6abf74

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.