ICSA-21-131-04 · Published 2025-05-06 · View on CISA ICS-CERT ↗

Siemens SINAMICS Medium Voltage Products Remote Access (Update B)

CVSS 9.8 CRITICAL

CVEs (14)

CVE-2019-8259 CVE-2019-8260 CVE-2019-8261 CVE-2019-8262 CVE-2019-8263 CVE-2019-8264 CVE-2019-8265 CVE-2019-8275 CVE-2019-8277 CVE-2019-8280 CVE-2021-27383 CVE-2021-27384 CVE-2021-27385 CVE-2021-27386

Remediations

As only SIMATIC HMI image versions < V16 Update 4 are affected, please update the HMI Panel image as included in your installation of SINAMICS GH150 to V16 Update 4 or later version
https://support.industry.siemens.com/cs/ww/en/view/109746530/
Currently no remediation is available
As only SIMATIC HMI image versions < V16 Update 4 are affected, please update the HMI Panel image as included in your installation of SINAMICS GL150 (with option X30) to V16 Update 4 or later version
As only SIMATIC HMI image versions < V16 Update 4 are affected, please update the HMI Panel image as included in your installation of SINAMICS GM150 (with option X30) to V16 Update 4 or later version
As only SIMATIC HMI image versions < V16 Update 4 are affected, please update the HMI Panel image as included in your installation of SINAMICS SH150 to V16 Update 4 or later version
As only SIMATIC HMI image versions < V15 SP1 Update 6 are affected, please update the HMI Panel image as included in your installation of SINAMICS SL150 to V15 SP1 Update 6 or later version
https://support.industry.siemens.com/cs/ww/en/view/109763890/
As only SIMATIC HMI image versions < V16 Update 4 are affected, please update the HMI Panel image as included in your installation of SINAMICS SM120 to V16 Update 4 or later version
As only SIMATIC HMI image versions < V15 SP1 Update 6 are affected, please update the HMI Panel image as included in your installation of SINAMICS SM150 to V15 SP1 Update 6 or later version
As only SIMATIC HMI image versions < V15 SP1 Update 6 are affected, please update the HMI Panel image as included in your installation of SINAMICS SM150i to V15 SP1 Update 6 or later version
Restrict access to port 5900/tcp to trusted IP addresses only
Disable Sm@rtServer in the SIMATIC HMI Comfort Panels system component of SINAMICS. If this is not possible, Defense-in-Depth should be used. Note: By default Sm@rtServer is disabled, but it can be enabled on request by the system integrator
Follow SINAMICS MV Industrial Security guidelines
For any questions regarding update, please contact Siemens customer service or your system integrator.

Affected Vendors

Siemens

Affected Products (8)

Siemens · SINAMICS GH150 vers:all/*

Siemens · SINAMICS GL150 (with option X30) vers:all/*

Siemens · SINAMICS GM150 (with option X30) vers:all/*

Siemens · SINAMICS SH150 vers:all/*

Siemens · SINAMICS SL150 vers:all/*

Siemens · SINAMICS SM120 vers:all/*

Siemens · SINAMICS SM150 vers:all/*

Siemens · SINAMICS SM150i vers:all/*

Affected Sectors

Multiple

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more