Security Experts:

Connect with us

Hi, what are you looking for?



Siemens Releases Patches to Prevent Remote Takeover of SIMATIC HMI Panels

Siemens has released patches for some of its SIMATIC human-machine interface (HMI) panels to address a high-severity vulnerability that can be exploited remotely to take full control of a device.

Siemens has released patches for some of its SIMATIC human-machine interface (HMI) panels to address a high-severity vulnerability that can be exploited remotely to take full control of a device.

SIMATIC HMI panels are designed for operator control and the monitoring of machines and plants.Siemens SIMATIC HMI vulnerability

Ta-Lun Yen, a researcher at TXOne Networks, an IIoT security-focused joint venture between Trend Micro and Moxa, discovered that these products are affected by a missing authentication issue related to the Telnet service. Affected devices that have Telnet enabled do not require any authentication, allowing a remote attacker to gain full access to a device, Siemens said.

The German industrial giant said the vulnerability (CVE-2020-15798) impacts SIMATIC HMI Comfort Panels, including SIPLUS products designed for extreme conditions, and SIMATIC HMI KTP Mobile Panels. Patches are included in v16 update 3a and later. All previous versions are affected.

In addition to installing the available patches, organizations can disable Telnet to prevent potential attacks exploiting this vulnerability. Siemens pointed out that Telnet is not enabled by default on the impacted devices.

TXOne’s Yen told SecurityWeek that he has not identified many devices that can be targeted from the internet, but noted that there may be some configurations that make them reachable over the intranet.

According to the researcher, an attacker could exploit the vulnerability to use the HMI as a foothold in the targeted network — the devices run Windows CE and he says there is no endpoint protection available.

He also believes an attacker could use the compromised HMI device to reach other systems, such as sensors and PLCs, or to disable them by sending them “weird values.” An attacker could also display inaccurate information in the HMI to avoid raising suspicion while they conduct other malicious activities that could cause damage to an industrial organization.

Yen said the vulnerability can also be leveraged to brick a device and temporarily prevent the operator from interacting with factory processes. It’s also possible to abuse the HMI for cryptocurrency mining, but this scenario is unlikely as it’s economically unfeasible, the researcher noted.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also published an advisory to warn industrial organizations about the risk posed by this flaw. Trend Micro’s Zero Day Initiative (ZDI), which along with CISA helped coordinate disclosure, will also publish an advisory for this vulnerability in the upcoming period.

Related: Tens of Vulnerabilities in Siemens PLM Products Allow Code Execution

Related: Critical Vulnerabilities Expose Siemens LOGO! Controllers to Attacks

Related: Siemens, Schneider Electric Address Serious Vulnerabilities in ICS Products

Related: Open Source Tool Helps Secure Siemens PCS 7 Control Systems

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...