CVE-2020-7592

Vulnerability

Siemens SIMATIC HMI Basic Panels 1st and 2nd Generation (including SIPLUS variants), SIMATIC HMI Comfort Panels (including SIPLUS variants), SIMATIC HMI KTP700F Mobile Arctic, SIMATIC HMI Mobile Panels 2nd Generation, and SIMATIC WinCC Runtime Advanced in all versions transmit data between the configuration software and the device without encryption. This cleartext transmission of sensitive information (CWE-319) means that any plaintext communication—such as credentials, configuration data, or other secrets—can be intercepted over the network [1].

Exploitation

An attacker must have network access to the link between the engineering station (running the WinCC configuration software) and the affected HMI panel. The attack requires no authentication and can be performed remotely from the same local network segment (CVSS attack vector: Adjacent Network) with low skill. The attacker simply monitors the traffic using standard sniffing tools; no user interaction is needed on the target device side. If the engineering station and HMI are connected over a large or shared network, the opportunity for sniffing increases [1].

Impact

Successful exploitation leads to the disclosure of sensitive information transmitted in plaintext. The CVSS v3 vector indicates high confidentiality impact with no impact on integrity or availability. The attacker gains access to potentially critical data such as passwords, keys, or operational parameters, but does not obtain code execution or the ability to modify device behaviour [1].

Mitigation

Siemens has not released a firmware update that introduces encryption for this communication path. Users are advised to apply workarounds: avoid program transfer over large networks and connect the engineering station directly to the HMI without intermediate network devices. As a general security measure, Siemens recommends network segmentation and restricting physical access to affected systems [1].