UltraVNC Vulnerabilities in SIMATIC HMIs/WinCC Products

Act Now9.8SSA-940818May 11, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

UltraVNC vulnerabilities embedded in SIMATIC HMI panels and WinCC Runtime systems could allow remote code execution, information disclosure, and denial-of-service attacks. The vulnerability affects the following product lines: SIMATIC HMI Comfort Outdoor Panels (7" and 15"), SIMATIC HMI Comfort Panels (4" to 22"), SIMATIC HMI KTP Mobile Panels (KTP400F, KTP700, KTP700F, KTP900, KTP900F), and SIMATIC WinCC Runtime Advanced. All versions below V16 Update 4 are vulnerable. The vulnerability requires no user interaction or authentication and can be exploited from any network with access to the device.

What this means

What could happen

An attacker could execute arbitrary code on your HMI panels or WinCC runtime systems, allowing them to modify industrial process displays, alter operator commands, or stop production monitoring. This could result in unobserved process deviations, equipment damage, or safety incidents.

Who's at risk

Manufacturing plants using Siemens SIMATIC HMI panels (Comfort series, KTP Mobile series, and outdoor variants) for production monitoring and operator interface, as well as facilities running SIMATIC WinCC Runtime Advanced for centralized process visualization and control. This affects all panel sizes from 4-inch to 22-inch displays.

How it could be exploited

An attacker with network access to an affected HMI panel or WinCC Runtime Advanced system could exploit embedded UltraVNC vulnerabilities to achieve remote code execution. The vulnerability requires no authentication or user interaction, allowing the attacker to gain control of the device and execute arbitrary commands in the context of the HMI application.

Prerequisites

Network access to the HMI panel or WinCC Runtime Advanced system (no specific port restriction mentioned, likely standard VNC port 5900 or configured alternative)
Device must be running affected firmware version (below V16 Update 4)
No authentication credentials required

Remotely exploitable over networkNo authentication requiredLow complexity attackCritical severity (CVSS 9.8)Affects human-machine interface — operator commands could be intercepted or falsifiedSome products have no patch available (HMI Comfort and KTP Mobile panels)Information disclosure risk — attacker can read process data and operator actions

Exploitability

Moderate exploit probability (EPSS 5.4%)

Affected products (4)

1 with fix1 pending2 EOL

ProductAffected VersionsFix Status

SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F< V16 Update 4No fix yet

SIMATIC WinCC Runtime Advanced< V16 Update 416 Update 4

SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants)< V16 Update 4No fix (EOL)

SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants)< V16 Update 4No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/5

SIMATIC WinCC Runtime Advanced

HOTFIXUpdate SIMATIC WinCC Runtime Advanced to V16 Update 4 or later

All products

HOTFIXUpdate SIMATIC HMI Comfort Panels (all sizes) to V16 Update 4 or later

HOTFIXUpdate SIMATIC HMI KTP Mobile Panels to V16 Update 4 or later

WORKAROUNDRestrict network access to HMI panels and WinCC systems using firewall rules to allow only authorized engineering and operator workstations

HARDENINGDisable remote VNC access on HMI panels if not required for operations or maintenance

CVEs (10)

CVE-2019-8259 CVE-2019-8260 CVE-2019-8261 CVE-2019-8262 CVE-2019-8263 CVE-2019-8264 CVE-2019-8265 CVE-2019-8275 CVE-2019-8277 CVE-2019-8280

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/993091d8-9794-4c36-a838-d2eab58f022d