VYPR
← All advisories
Unrated severityNVD Advisory· Published May 12, 2021· Updated Aug 3, 2024

CVE-2021-27386

CVE-2021-27386

Description

A vulnerability has been identified in SIMATIC HMI Comfort Outdoor Panels V15 7\" & 15\" (incl. SIPLUS variants) (All versions < V15.1 Update 6), SIMATIC HMI Comfort Outdoor Panels V16 7\" & 15\" (incl. SIPLUS variants) (All versions < V16 Update 4), SIMATIC HMI Comfort Panels V15 4\" - 22\" (incl. SIPLUS variants) (All versions < V15.1 Update 6), SIMATIC HMI Comfort Panels V16 4\" - 22\" (incl. SIPLUS variants) (All versions < V16 Update 4), SIMATIC HMI KTP Mobile Panels V15 KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions < V15.1 Update 6), SIMATIC HMI KTP Mobile Panels V16 KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions < V16 Update 4), SIMATIC WinCC Runtime Advanced V15 (All versions < V15.1 Update 6), SIMATIC WinCC Runtime Advanced V16 (All versions < V16 Update 4), SINAMICS GH150 (All versions), SINAMICS GL150 (with option X30) (All versions), SINAMICS GM150 (with option X30) (All versions), SINAMICS SH150 (All versions), SINAMICS SL150 (All versions), SINAMICS SM120 (All versions), SINAMICS SM150 (All versions), SINAMICS SM150i (All versions). SmartVNC has a heap allocation leak vulnerability in the device layout handler on client side, which could result in a Denial-of-Service condition.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SmartVNC heap allocation leak vulnerability in Siemens SIMATIC HMIs and WinCC Runtime Advanced could allow remote denial-of-service.

Vulnerability

The vulnerability is a heap allocation leak in the device layout handler on the client side of SmartVNC, affecting multiple Siemens SIMATIC HMI panels and WinCC Runtime Advanced products. Affected versions include SIMATIC HMI Comfort Outdoor Panels V15 (all versions < V15.1 Update 6), Comfort Panels V15 (all versions < V15.1 Update 6), KTP Mobile Panels V15 (all versions < V15.1 Update 6), WinCC Runtime Advanced V15 (all versions < V15.1 Update 6), and their V16 counterparts (all versions < V16 Update 4). [1]

Exploitation

An attacker can exploit this vulnerability remotely by sending specially crafted data from the client to the server. No authentication is required. The attack triggers a heap allocation leak, leading to excessive memory consumption and ultimately a denial-of-service condition. [1]

Impact

Successful exploitation results in a denial-of-service condition. The CVSS v3 base score is 9.8 (Critical), indicating the potential for significant disruption without the need for authentication or user interaction. [1]

Mitigation

Siemens has released fixes: update to V15.1 Update 6 for V15-based products and V16 Update 4 for V16-based products. No workarounds are available. Users are advised to apply the updates as soon as possible. [1]

References
  1. Siemens SIMATIC SmartVNC HMI WinCC Products (Update B) | CISA

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

18

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.