SmartVNC Vulnerabilities in SIMATIC HMI/WinCC Products

Act Now9.8SSA-538778May 11, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple SmartVNC vulnerabilities in SIMATIC HMI panels and WinCC Runtime Advanced could allow remote code execution and denial-of-service attacks. The vulnerabilities involve memory corruption (CWE-788, CWE-755) and resource exhaustion (CWE-770, CWE-400) in the VNC implementation. No authentication or user interaction is required for exploitation. The HMI panel hardware models (Comfort Outdoor, Comfort, KTP Mobile V15 and V16 series below the stated update levels) do not have vendor fixes available and cannot be patched. WinCC Runtime Advanced has been patched in V15.1 Update 6 and V16 Update 4.

What this means

What could happen

An attacker could execute arbitrary code on HMI panels and WinCC Runtime systems, potentially altering production displays, process setpoints, or shutting down the human-machine interface that operators rely on to monitor and control industrial processes.

Who's at risk

Manufacturers operating Siemens HMI systems should be concerned, particularly those using SIMATIC HMI Comfort Panels, Outdoor Panels, or KTP Mobile Panels (V15 and V16 series) for production monitoring, or those running SIMATIC WinCC Runtime Advanced for centralized process supervision. Any facility relying on these human-machine interfaces for real-time process control and operator visibility is at risk.

How it could be exploited

An attacker with network access to a vulnerable HMI panel or WinCC Runtime Advanced system could send a specially crafted VNC protocol request to trigger memory corruption or resource exhaustion vulnerabilities. The attacker does not need credentials or user interaction to trigger the vulnerability.

Prerequisites

Network access to VNC port (typically 5900) on the HMI panel or WinCC Runtime Advanced system
No authentication required
Vulnerable firmware or software version deployed

remotely exploitableno authentication requiredlow complexity attackhigh CVSS score (9.8)affects human-machine interface (critical for operators)no patch available for HMI panel hardware models

Exploitability

Moderate exploit probability (EPSS 1.4%)

Affected products (8)

2 with fix2 pending4 EOL

ProductAffected VersionsFix Status

SIMATIC HMI Comfort Panels V15 4" - 22" (incl. SIPLUS variants)< V15.1 Update 6No fix yet

SIMATIC HMI Comfort Panels V16 4" - 22" (incl. SIPLUS variants)< V16 Update 4No fix yet

SIMATIC HMI Comfort Outdoor Panels V16 7" & 15" (incl. SIPLUS variants)< V16 Update 4No fix (EOL)

SIMATIC HMI KTP Mobile Panels V15 KTP400F, KTP700, KTP700F, KTP900 and KTP900F< V15.1 Update 6No fix (EOL)

SIMATIC WinCC Runtime Advanced V15< V15.1 Update 615.1 Update 6

SIMATIC WinCC Runtime Advanced V16< V16 Update 416 Update 4

SIMATIC HMI KTP Mobile Panels V16 KTP400F, KTP700, KTP700F, KTP900 and KTP900F< V16 Update 4No fix (EOL)

SIMATIC HMI Comfort Outdoor Panels V15 7" & 15" (incl. SIPLUS variants)< V15.1 Update 6No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRestrict network access to HMI panel VNC ports (port 5900) using firewall rules to allow connections only from authorized engineering and operator workstations

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SIMATIC WinCC Runtime Advanced V15

HOTFIXUpdate SIMATIC WinCC Runtime Advanced V15 to Update 6 or later, and SIMATIC WinCC Runtime Advanced V16 to Update 4 or later

All products

HOTFIXUpdate SIMATIC HMI Comfort Outdoor Panels V15 and V16 to the latest available firmware through WinCC engineering station

HOTFIXUpdate SIMATIC HMI Comfort Panels V15 and V16 (4"-22") to the latest available firmware through WinCC engineering station

HOTFIXUpdate SIMATIC HMI KTP Mobile Panels V15 and V16 to the latest available firmware through WinCC engineering station

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC HMI Comfort Outdoor Panels V16 7" & 15" (incl. SIPLUS variants), SIMATIC HMI KTP Mobile Panels V15 KTP400F, KTP700, KTP700F, KTP900 and KTP900F, SIMATIC HMI KTP Mobile Panels V16 KTP400F, KTP700, KTP700F, KTP900 and KTP900F, SIMATIC HMI Comfort Outdoor Panels V15 7" & 15" (incl. SIPLUS variants). Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate HMI panels and WinCC Runtime systems on a dedicated control network separate from office/corporate networks

CVEs (7)

CVE-2021-25660 CVE-2021-25661 CVE-2021-25662 CVE-2021-27383 CVE-2021-27384 CVE-2021-27385 CVE-2021-27386

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9e1cfe8e-007f-4815-be91-f95f19bc348f