CVE-2020-15798

Q: What is the severity of CVE-2020-15798?

CVE-2020-15798 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to gain full administrative access to affected Siemens industrial control devices without authentication when the telnet service is enabled. It affects multiple SIMATIC HMI panels and SINAMICS drive controllers. Attackers can completely compromise these industrial devices.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

This vulnerability allows remote attackers to gain full administrative access to affected Siemens industrial control devices without authentication when the telnet service is enabled. It affects multiple SIMATIC HMI panels and SINAMICS drive controllers. Attackers can completely compromise these industrial devices.

💻 Affected Systems

Products:

SIMATIC HMI Comfort Panels
SIMATIC HMI KTP Mobile Panels
SINAMICS GH150
SINAMICS GL150 (with option X30)
SINAMICS GM150 (with option X30)
SINAMICS SH150
SINAMICS SL150
SINAMICS SM120
SINAMICS SM150
SINAMICS SM150i

Versions: All versions before V16 Update 3a for HMI panels; all versions for SINAMICS devices

Operating Systems: Embedded industrial OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when telnet service is enabled. SIPLUS variants of HMI panels are also affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to modify configurations, disrupt industrial processes, install malware, or use devices as footholds into industrial networks.

🟠

Likely Case

Unauthorized access leading to configuration changes, data theft, or disruption of industrial operations.

🟢

If Mitigated

Limited impact if telnet is disabled and devices are properly segmented with network controls.

🌐 Internet-Facing: HIGH - Direct internet exposure with unauthenticated telnet access allows trivial remote exploitation.

🏢 Internal Only: HIGH - Even internally, unauthenticated telnet access allows easy lateral movement within industrial networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple telnet connection without credentials provides full access. No special tools or techniques required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V16 Update 3a for HMI panels; SINAMICS devices require configuration changes

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-520004.pdf

Restart Required: Yes

Instructions:

1. For HMI panels: Update to V16 Update 3a or later. 2. For SINAMICS devices: Disable telnet service via configuration. 3. Apply patches during maintenance windows. 4. Verify service is disabled after patching.

🔧 Temporary Workarounds

Disable Telnet Service

all

Disable the telnet service on affected devices to prevent unauthenticated access.

Configuration via device web interface or engineering software (TIA Portal)

Network Segmentation

all

Isolate affected devices in separate VLANs with strict firewall rules blocking telnet (port 23).

Firewall rule: deny tcp any any eq 23

🧯 If You Can't Patch

Disable telnet service immediately via device configuration
Implement strict network segmentation with firewall rules blocking port 23/tcp
Monitor network traffic for telnet connections to affected devices
Consider physical isolation of critical devices

🔍 How to Verify

Check if Vulnerable:

Attempt telnet connection to device port 23 without credentials. If connection succeeds and provides shell access, device is vulnerable.

Check Version:

Check via device web interface or TIA Portal engineering software

Verify Fix Applied:

1. Check device version is V16 Update 3a or later for HMI panels. 2. Verify telnet service is disabled via device configuration. 3. Attempt telnet connection - should fail or require authentication.

📡 Detection & Monitoring

Log Indicators:

Successful telnet connections without authentication
Configuration changes from unknown sources
Unusual process execution

Network Indicators:

Telnet traffic (port 23) to industrial devices
Unusual outbound connections from industrial devices

SIEM Query:

source_port=23 OR destination_port=23 AND (device_type="industrial" OR device_vendor="siemens")

📊 Metadata

CVE ID: CVE-2020-15798

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: February 9, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-520004.pdf Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-752103.pdf Patch,Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-033-02 Third Party Advisory,US Government Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-520004.pdf Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-752103.pdf Patch,Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-033-02 Third Party Advisory,US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Simatic Hmi Comfort Panels Firmware by Siemens

Simatic Hmi Comfort Panels Firmware by Siemens

Simatic Hmi Comfort Panels Firmware by Siemens

Simatic Hmi Comfort Panels Firmware by Siemens

Simatic Hmi Comfort Panels Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Firmware by Siemens

Sinamics Gh150 Firmware by Siemens

Sinamics Gl150 Firmware by Siemens

Sinamics Gm150 Firmware by Siemens

Sinamics Sh150 Firmware by Siemens

Sinamics Sl150 Firmware by Siemens

Sinamics Sm120 Firmware by Siemens

Sinamics Sm150 Firmware by Siemens

Sinamics Sm150i Firmware by Siemens

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Telnet Service

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities