Siemens SINAMICS Medium Voltage Products Telnet (Update A)
Plan Patch8.1ICS-CERT ICSA-21-131-13May 11, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
SINAMICS medium-voltage drive products have a vulnerability in their integrated or connected HMI (SIMATIC HMI) image that allows unauthenticated Telnet access. Successful exploitation grants an attacker full remote access to the HMI, enabling them to read process data and issue control commands to the motor drives. Only HMI image versions prior to v16 Update 3a are affected. No firmware updates are available for the SINAMICS drive products themselves; the vulnerability must be mitigated by updating the HMI image and restricting network access to the Telnet interface.
What this means
What could happen
An attacker with network access to the Telnet port could gain full control of the HMI (human-machine interface) panel, allowing them to view sensitive process data, alter operational commands, or disrupt monitoring and control of medium-voltage motor drives.
Who's at risk
Manufacturing facilities using Siemens SINAMICS medium-voltage drive products (GH150, SH150, GL150, SM150i, SM150, GM150, SM120, SL150 series) with integrated or connected HMI panels. This affects any plant operating these drives for motor control in production lines, pump stations, compressor systems, or other critical medium-voltage motor applications where process visibility and control through the HMI is essential.
How it could be exploited
An attacker sends a Telnet connection request to the HMI's Telnet port (default port 23) from the network. If Telnet is enabled and no authentication is configured or enforced, the attacker gains shell access to the HMI system without providing credentials, then executes commands to modify process parameters or disable safety monitoring.
Prerequisites
- Network connectivity to the HMI Telnet port (port 23, or custom port if configured)
- Telnet service must be enabled on the HMI panel
- No authentication required or weak authentication configuration on the Telnet interface
Remotely exploitable over networkNo authentication required (if default configuration)Low complexity exploitation (Telnet protocol is simple)Unauthenticated access to HMINo patch available for affected drive products (patch only addresses HMI image)
Exploitability
Moderate exploit probability (EPSS 1.7%)
Affected products (8)
8 EOL
ProductAffected VersionsFix Status
SINAMICS GH150: All versionsAll versionsNo fix (EOL)
SINAMICS SH150: All versionsAll versionsNo fix (EOL)
SINAMICS SM150i: All versionsAll versionsNo fix (EOL)
SINAMICS SM150: All versionsAll versionsNo fix (EOL)
SINAMICS GM150 (with option X30): All versionsAll versionsNo fix (EOL)
SINAMICS SM120: All versionsAll versionsNo fix (EOL)
SINAMICS SL150: All versionsAll versionsNo fix (EOL)
SINAMICS GL150 (with option X30): All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3WORKAROUNDDisable Telnet service on HMI panels if remote management is not required
HARDENINGRestrict network access to HMI Telnet port (port 23) using firewall rules to allow only authorized engineering and maintenance workstations
HARDENINGConfigure strong authentication (username/password or certificate-based) on Telnet if the service must remain enabled
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIMATIC HMI image to v16 Update 4 or later for affected installations
HOTFIXUpdate SIMATIC HMI image to v15 SP1 Update 6 or later for older installations
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SINAMICS GH150: All versions, SINAMICS SH150: All versions, SINAMICS SM150i: All versions, SINAMICS SM150: All versions, SINAMICS GM150 (with option X30): All versions, SINAMICS SM120: All versions, SINAMICS SL150: All versions, SINAMICS GL150 (with option X30): All versions. Apply the following compensating controls:
HARDENINGDeploy network segmentation to isolate HMI panels on a separate VLAN from general corporate networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/331b319f-7f8f-4453-bca4-004fd6c9929c