CVE-2020-15798

Vulnerability

The vulnerability resides in the Telnet service of Siemens SIMATIC HMI Comfort Panels (including SIPLUS variants) and SIMATIC HMI KTP Mobile Panels (all versions before V16 Update 3a), as well as SINAMICS GH150, GL150 (with option X30), GM150 (with option X30), SH150, SL150, SM120, SM150, and SM150i drives (all versions) [1]. Affected devices with the Telnet service enabled do not require authentication, corresponding to CWE-306 (Missing Authentication for Critical Function). Telnet is disabled by default on HMI panels [1]; the exact default state on SINAMICS drives is not specified in the available references.

Exploitation

An attacker with network access to the affected device can exploit the missing authentication by simply connecting to the Telnet port (typically TCP/23) [1]. No authentication, user interaction, or prior privileges are required. The attack is remotely exploitable with low skill level [1]. The CVSS vector string indicates high attack complexity (AC:H) [1], which may imply network-level protections or other mitigations are expected to be in place, but the reference does not elaborate.

Impact

Successful exploitation grants the attacker full access to the device [1]. This results in compromise of confidentiality, integrity, and availability, as the attacker can read, modify, or disrupt device configuration and operations. The CVSS v3 base score is 8.1 (High) [1]. Critical infrastructure sectors such as Critical Manufacturing may be affected [1].

Mitigation

Siemens has released updates for the HMI panels: users should update to V16 Update 3a or later [1]. For SINAMICS drives listed, the advisory notes all versions are affected, and no fix is indicated as of the publication date [1]. As a workaround, disable Telnet on HMI panels if it is enabled [1]. Siemens also recommends protecting network access with appropriate mechanisms, such as firewalls and VPNs [1]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.