Vulnerabilities > CVE-2020-15786 - Improper Restriction of Excessive Authentication Attempts vulnerability in Siemens products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

siemens

CWE-307

critical

NVD

Published: 2020-09-09

Updated: 2021-06-08

Summary

A vulnerability has been identified in SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions < V16), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions <= V16), SIMATIC HMI Mobile Panels (All versions <= V16), SIMATIC HMI Unified Comfort Panels (All versions <= V16). Affected devices insufficiently block excessive authentication attempts. This could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack.

Vulnerable Configurations

Part	Description	Count
OS	Siemens Siemens Simatic HMI Basic Panels 2ND Generation Firmware 14 Siemens Simatic HMI Comfort Panels Firmware * Siemens Simatic HMI Mobile Panels Firmware * Siemens Simatic HMI United Comfort Panels Firmware *	4
Hardware	Siemens Siemens Simatic HMI Basic Panels 2ND Generation - Siemens Simatic HMI Comfort Panels - Siemens Simatic HMI Mobile Panels - Siemens Simatic HMI United Comfort Panels -	4

Common Weakness Enumeration (CWE)

CWE-307 - Improper Restriction of Excessive Authentication Attempts

References

https://cert-portal.siemens.com/productcert/pdf/ssa-542525.pdf