IM
IronMonkey Threat Research
‹ Back to ICS Advisories

Siemens SIMATIC

HIGH
CVSS 7.7
Date 2026-05-14T06:00:00+00:00
Source cisa-csaf
Published by CISA

// Description

SIMATIC HMI Unified Comfort Panels before V21.0 are affected by a vulnerability that allows an unauthenticated attacker to access the web browser via the help link. This vulnerability allows an attacker to access the web browser through the Control Panel if it is not protected by the corresponding security mechanisms. This opens the possibility for the attacker to find backdoors, which might lead to unwanted misconfigurations. Siemens has released new versions for the affected products and recommends to update to the latest versions.

// Vulnerabilities (1)

CVE ID CVSS Score Severity Description
CVE-2026-27662 7.7 high
CVE-2026-27662. Affected devices do not properly restrict access to the web browser via the Control Panel when no corresponding security mechanisms are in place. This could allow an unauthenticated attacker to gain unauthorized access to the web browser, potentially enabling the discovery of backdoors, performing unauthorized actions, or exploiting misconfigurations that may lead to further system compromise.

// Affected Products (51)

Vendor Product Asset Type Purdue Level Firmware
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--
Siemens Unknown hmi
L2
--

// Remediations (3)

Patch: Update to V21 or later version
Update to V21 or later version
Mitigation: Disable the taskbar which can be configured in the Control Panel > System Properties > Taskbar.
Disable the taskbar which can be configured in the Control Panel > System Properties > Taskbar.
Mitigation: Compliance with the security guidelines is strongly recommended (specially chapter “3.2 Ending HMI r
Compliance with the security guidelines is strongly recommended (specially chapter “3.2 Ending HMI runtime”, “3.4.1 Enable access protection for the Control Panel” and “3.4.2 Changing runtime autostart) https://support.industry.siemens.com/cs/ww/en/view/109481300

// References