Siemens SIMATIC HMI Unified Comfort Panels Control Panel Escape Vulnerability

A vulnerability exists in Siemens SIMATIC HMI Unified Comfort Panels, both Hygienic and Standard families, prior to version 21.0. The issue arises because affected devices do not adequately restrict access to the web browser through the Control Panel, when no appropriate security measures are implemented. This flaw could enable an unauthenticated attacker to access the web browser, potentially leading to the discovery of backdoors, unauthorized actions, or exploitation of misconfigurations that could further compromise the system.

Impact

Exploitation of this vulnerability could allow unauthorized access to the web browser via the Control Panel, potentially leading to the discovery and exploitation of backdoors, unauthorized actions, or misconfigurations that could compromise the system.

Remediation

Siemens has released new versions for the affected products and recommends updating to the latest versions. Specific product remediations or mitigations can be found in the Siemens Security Advisory SSA-387223. General security recommendations include protecting network access to devices with appropriate mechanisms and following Siemens' operational guidelines for Industrial Security.