// For flags

CVE-2020-15798

Siemens Comfort Panel Telnet Service Missing Authentication Remote Code Execution Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

1.2%
*EPSS

Affected Versions

18
*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability has been identified in SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions < V16 Update 3a), SIMATIC HMI KTP Mobile Panels (All versions < V16 Update 3a), SINAMICS GH150 (All versions), SINAMICS GL150 (with option X30) (All versions), SINAMICS GM150 (with option X30) (All versions), SINAMICS SH150 (All versions), SINAMICS SL150 (All versions), SINAMICS SM120 (All versions), SINAMICS SM150 (All versions), SINAMICS SM150i (All versions). Affected devices with enabled telnet service do not require authentication for this service. This could allow a remote attacker to gain full access to the device. (ZDI-CAN-12046)

Se ha identificado una vulnerabilidad en SIMATIC HMI Comfort Panels (incl. Variantes SIPLUS) (Todas las versiones anteriores a V16 Update 3a), SIMATIC HMI KTP Mobile Panels (Todas las versiones anteriores a V16 Update 3a), SINAMICS GH150 (Todas las versiones), SINAMICS GL150 (con la opción X30) (Todas las versiones), SINAMICS GM150 (con la opción X30) (Todas las versiones), SINAMICS SH150 (Todas las versiones), SINAMICS SL150 (Todas las versiones), SINAMICS SM120 (Todas las versiones), SINAMICS SM150 (Todas las versiones), SINAMICS SM150i (Todas las versiones). Los dispositivos afectados con el servicio telnet activado no requieren autenticación para este servicio. Esto podría permitir a un atacante remoto obtener acceso completo al dispositivo. (ZDI-CAN-12046)

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Comfort Panel. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the telnet service, which listens on TCP port 22 by default. The issue results from the lack of authentication prior to allowing remote connections. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.

*Credits: Ta-Lun Yen of TXOne IoT/ICS Security Research Labs (Trend Micro)
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-07-15 CVE Reserved
  • 2021-02-04 CVE Published
  • 2024-08-04 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-306: Missing Authentication for Critical Function
CAPEC
Affected Vendors, Products, and Versions (18)