CVE-2021-25661

Q: What is the severity of CVE-2021-25661?

CVE-2021-25661 has a CVSS score of 7.5 (HIGH). This vulnerability in Siemens SIMATIC HMI panels and WinCC Runtime Advanced involves an out-of-bounds memory access in SmartVNC that could be triggered by malicious data from the server. It affects industrial control system operators using vulnerable versions of Siemens HMI panels and WinCC software, potentially causing denial-of-service conditions.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in Siemens SIMATIC HMI panels and WinCC Runtime Advanced involves an out-of-bounds memory access in SmartVNC that could be triggered by malicious data from the server. It affects industrial control system operators using vulnerable versions of Siemens HMI panels and WinCC software, potentially causing denial-of-service conditions.

💻 Affected Systems

Products:

SIMATIC HMI Comfort Outdoor Panels V15 7" & 15"
SIMATIC HMI Comfort Outdoor Panels V16 7" & 15"
SIMATIC HMI Comfort Panels V15 4" - 22"
SIMATIC HMI Comfort Panels V16 4" - 22"
SIMATIC HMI KTP Mobile Panels V15 KTP400F, KTP700, KTP700F, KTP900, KTP900F
SIMATIC HMI KTP Mobile Panels V16 KTP400F, KTP700, KTP700F, KTP900, KTP900F
SIMATIC WinCC Runtime Advanced V15
SIMATIC WinCC Runtime Advanced V16

Versions: All versions before V15.1 Update 6 for V15 products, all versions before V16 Update 4 for V16 products

Operating Systems: Siemens proprietary HMI OS

Default Config Vulnerable: ⚠️ Yes

Notes: Includes SIPLUS variants; vulnerability is in SmartVNC component used for remote visualization.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash or reboot of HMI panels causing operational disruption in industrial environments, potentially affecting process control and safety systems.

🟠

Likely Case

Denial-of-service affecting specific HMI panels, requiring manual restart and causing temporary loss of operator visibility/control.

🟢

If Mitigated

Minimal impact if systems are isolated from untrusted networks and proper segmentation is in place.

🌐 Internet-Facing: MEDIUM - While industrial systems shouldn't be internet-facing, misconfigurations could expose them; exploitation requires network access to VNC service.

🏢 Internal Only: HIGH - Industrial networks often have flat architectures; once inside, attackers could exploit this to disrupt operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Vulnerability can be triggered by sending malicious data from server to client; no authentication required to exploit if network access is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V15.1 Update 6 for V15 products, V16 Update 4 for V16 products

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-538778.pdf

Restart Required: Yes

Instructions:

1. Download appropriate update from Siemens Industrial Online Support. 2. Backup current configuration. 3. Apply update following Siemens update procedures. 4. Restart affected devices. 5. Verify update installation.

🔧 Temporary Workarounds

Network segmentation

all

Isolate HMI panels and WinCC systems in separate network zones with strict firewall rules limiting access to VNC ports.

Disable unnecessary services

all

Disable SmartVNC/remote access if not required for operations.

🧯 If You Can't Patch

Implement strict network access controls to limit connections to HMI panels only from trusted sources
Monitor for abnormal connection attempts to VNC ports and system crashes/reboots

🔍 How to Verify

Check if Vulnerable:

Check device firmware version in HMI panel settings or WinCC Runtime Advanced about dialog.

Check Version:

Check via Siemens TIA Portal or device web interface; no universal command available.

Verify Fix Applied:

Confirm version is V15.1 Update 6 or higher for V15 products, or V16 Update 4 or higher for V16 products.

📡 Detection & Monitoring

Log Indicators:

Unexpected HMI panel reboots
VNC connection errors
System crash logs

Network Indicators:

Unusual VNC traffic patterns
Connection attempts to VNC ports from unauthorized sources

SIEM Query:

source="hmi_panels" AND (event_type="crash" OR event_type="reboot") OR dest_port=5900 AND protocol="VNC"

📊 Metadata

CVE ID: CVE-2021-25661

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-788

Published: May 12, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-538778.pdf Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-131-12 Third Party Advisory,US Government Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-538778.pdf Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-131-12 Third Party Advisory,US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Simatic Hmi Comfort Outdoor Panels 15\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 15\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 15\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 15\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 15\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 15\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 15\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 15\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 15\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 15\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 15\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 15\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 15\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 7\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 7\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 7\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 7\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 7\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 7\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 7\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 7\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 7\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 7\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 7\" Firmware by Siemens

Simatic Hmi Comfort Outdoor Panels 7\" Firmware by Siemens

Simatic Hmi Comfort Panels 22\" Firmware by Siemens

Simatic Hmi Comfort Panels 22\" Firmware by Siemens

Simatic Hmi Comfort Panels 22\" Firmware by Siemens

Simatic Hmi Comfort Panels 22\" Firmware by Siemens

Simatic Hmi Comfort Panels 22\" Firmware by Siemens

Simatic Hmi Comfort Panels 22\" Firmware by Siemens

Simatic Hmi Comfort Panels 22\" Firmware by Siemens

Simatic Hmi Comfort Panels 22\" Firmware by Siemens

Simatic Hmi Comfort Panels 22\" Firmware by Siemens

Simatic Hmi Comfort Panels 22\" Firmware by Siemens

Simatic Hmi Comfort Panels 22\" Firmware by Siemens

Simatic Hmi Comfort Panels 22\" Firmware by Siemens

Simatic Hmi Comfort Panels 4\" Firmware by Siemens

Simatic Hmi Comfort Panels 4\" Firmware by Siemens

Simatic Hmi Comfort Panels 4\" Firmware by Siemens

Simatic Hmi Comfort Panels 4\" Firmware by Siemens

Simatic Hmi Comfort Panels 4\" Firmware by Siemens

Simatic Hmi Comfort Panels 4\" Firmware by Siemens

Simatic Hmi Comfort Panels 4\" Firmware by Siemens

Simatic Hmi Comfort Panels 4\" Firmware by Siemens

Simatic Hmi Comfort Panels 4\" Firmware by Siemens

Simatic Hmi Comfort Panels 4\" Firmware by Siemens

Simatic Hmi Comfort Panels 4\" Firmware by Siemens

Simatic Hmi Comfort Panels 4\" Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp400f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp400f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp400f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp400f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp400f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp400f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp400f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp400f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp400f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp400f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp400f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp400f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700 Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700 Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700 Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700 Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700 Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700 Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700 Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700 Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700 Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700 Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700 Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700 Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700f Firmware by Siemens

Simatic Hmi Ktp Mobile Panels Ktp700f Firmware by Siemens