CVE-2020-15786
published 2020-09-09CVE-2020-15786: A vulnerability has been identified in SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions < V16), SIMATIC HMI Comfort Panels (incl…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.48%
70.6th percentile
A vulnerability has been identified in SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions < V16), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions <= V16), SIMATIC HMI Mobile Panels (All versions <= V16), SIMATIC HMI Unified Comfort Panels (All versions <= V16). Affected devices insufficiently block excessive authentication attempts. This could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| siemens | simatic_hmi_basic_panels_2nd_generation | — | — |
| siemens | simatic_hmi_basic_panels_2nd_generation_firmware | <= 14 | — |
| siemens | simatic_hmi_comfort_panels | — | — |
| siemens | simatic_hmi_mobile_panels | — | — |
| siemens | simatic_hmi_unified_comfort_panels | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect brute-force authentication attempts against Siemens Sm@rtServer (VNC-based remote access) on SIMATIC HMI devices; the vulnerability allows unlimited password guess attempts with minimal effect on guess rate due to insufficient blocking of excessive authentication attempts. ↗
- →Monitor for high-volume repeated authentication attempts targeting Siemens SM@rtServer / VNC service on SIMATIC HMI panels; attacker strategy evades brute-force protection mechanism allowing unlimited password guess attempts. ↗
- →Alert on remote unauthenticated access attempts to Siemens Sm@rtServer / VNC interface exposed on SIMATIC HMI devices; exploitation requires no privileges and no user interaction (CVSS AV:N/AC:L/PR:N/UI:N). ↗
- ·CVE-2020-15786 affects SIMATIC HMI Basic Panels 2nd Generation (all versions prior to V16), SIMATIC HMI Comfort Panels (all versions up to and including V16), SIMATIC HMI Mobile Panels (all versions up to and including V16), and SIMATIC HMI Unified Comfort Panels (all versions up to and including V16). Patched versions are V16 Update 3 for all affected product lines. ↗
- ·The SM@rtServer feature must be activated on the HMI for the attack surface to exist; remote access is provided either through Siemens' own Sm@rtClient application or through third-party VNC client software. ↗
- ·No known public exploits specifically target these vulnerabilities at time of advisory publication. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Siemens SIMATIC HMI Basic Panel Brute Force excessive authentication
vuldb·2026-06-03·CVSS 9.8
CVE-2020-15786 [CRITICAL] Siemens SIMATIC HMI Basic Panel Brute Force excessive authentication
A vulnerability was found in Siemens SIMATIC HMI Basic Panel, SIMATIC HMI Comfort Panel, SIMATIC HMI Mobile Panel and SIMATIC HMI Mobile Panel. It has been declared as problematic. This vulnerability affects unknown code. The manipulation results in improper restriction of excessive authentication attempts (Brute Force).
This vulnerability is identified as CVE-2020-15786. The attack can be executed remotely. There is not any exploit available.
GHSA
GHSA-9hp3-3v8x-gvhx: A vulnerability has been identified in SIMATIC HMI Basic Panels 2nd Generation (incl
ghsa_unreviewed·2022-05-24
CVE-2020-15786 [HIGH] CWE-307 GHSA-9hp3-3v8x-gvhx: A vulnerability has been identified in SIMATIC HMI Basic Panels 2nd Generation (incl
A vulnerability has been identified in SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions >= 14 and V < XX), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions), SIMATIC HMI Mobile Panels (All versions), SIMATIC HMI United Comfort Panels (All versions). Affected devices insufficiently block excessive authentication attempts. This could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack.
CISA ICS
Siemens SIMATIC HMI Products (Update A)
cisa_ics·2020-09-08·CVSS 9.8
[CRITICAL] Siemens SIMATIC HMI Products (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SIMATIC HMI Products (Update A)
Last RevisedJune 08, 2021
Alert CodeICSA-20-252-06
## 1. EXECUTIVE SUMMARY
- CVSS v3 6.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC HMI
- Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Authentication Bypass by Primary Weakness
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-20-252-06 Siemens SIMATIC HMI Products that was published September 8, 2020, to the ICS webpage on us-cert.cisa.gov.
## 3. RISK EVA
No detection rules found.
No public exploits indexed.
arXiv
Technical Report: Gone in 20 Seconds -- Overview of a Password Vulnerability in Siemens HMIs
arxiv_cs_cr·2020-09-08·CVSS 9.8
[CRITICAL] Technical Report: Gone in 20 Seconds -- Overview of a Password Vulnerability in Siemens HMIs
Technical Report: Gone in 20 Seconds -- Overview of a Password Vulnerability in Siemens HMIs
Siemens produce a range of industrial human machine interface (HMI) screens which allow operators to both view information about and control physical processes. For scenarios where an operator cannot physically access the screen, Siemens provide the SM@rtServer features on HMIs, which when activated provides remote access either through their own Sm@rtClient application, or through third party VNC client software. Through analysing this server, we discovered a lack of protection against brute-force password attacks on basic devices. On advanced devices which include a brute-force protection mechanism, we discovered an attacker strategy that is able to evade the mechanism allowing for unlimited pas
arXiv
Technical Report: Gone in 20 Seconds -- Overview of a Password Vulnerability in Siemens HMIs
arxiv_fulltext·2020-09-08·CVSS 9.8
[CRITICAL] Technical Report: Gone in 20 Seconds -- Overview of a Password Vulnerability in Siemens HMIs
empty
empty
## Abstract
Siemens produce a range of industrial human machine interface (HMI) screens which allow operators to both view information about and control physical processes. For scenarios where an operator cannot physically access the screen, Siemens provide the SM@rtServer features on HMIs, which when activated provides remote access either through their own Sm@rtClient application, or through third party VNC client software.
Through analysing this server, we discovered a lack of protection against brute-force password attacks on basic devices. On advanced devices which include a brute-force protection mechanism, we discovered an attacker strategy that is able to evade the mechanism allowing for unlimited password guess attempts with minimal effect on the guess rate. This vu
2020-09-09
Published