Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Affected devices do not properly restrict access to the web browser via the Control Panel when no corresponding security mechanisms are in place. This could allow an unauthenticated attacker to gain unauthorized access to the web browser, potentially enabling the discovery of backdoors, performing unauthorized actions, or exploiting misconfigurations that may lead to further system compromise.
AnalysisAI
Local unauthenticated attackers can access the web browser on Siemens SIMATIC HMI Unified Comfort and Comfort Pro panels (all models <V21) via the Control Panel when security mechanisms are not configured. The CVSS v4.0 score of 7.0 reflects high integrity and availability impact (VI:H/VA:H) with local attack vector (AV:L), low complexity (AC:L), and no authentication required (PR:N). The vulnerability is classified as CWE-1188 (Initialization of a Resource with an Insecure Default) and tagged as Authentication Bypass. No public exploit or active exploitation confirmed at time of analysis, but the local access requirement and lack of default protections significantly lower the attack bar in environments where physical or local system access is feasible, such as industrial control settings.
Technical ContextAI
This vulnerability affects Siemens SIMATIC HMI (Human-Machine Interface) panels across the Unified Comfort and Comfort Pro product lines, which run Windows-based operating systems with embedded web browsers for operator interaction and diagnostics. The root cause is CWE-1188 (Initialization of a Resource with an Insecure Default), meaning the Control Panel web browser access control mechanism ships in an insecure default state requiring explicit hardening by operators. The CPE strings identify over 50 affected product variants spanning MTP700, MTP1000, MTP1200, MTP1500, MTP1900, and MTP2200 models in standard, hygienic, and neutral design form factors, including SIPLUS rugged variants. These devices are typically deployed in manufacturing, process control, and critical infrastructure environments where they provide touchscreen interfaces to SCADA/DCS systems. The local attack vector (AV:L) in CVSS v4.0 indicates exploitation requires existing access to the device's Control Panel interface, which is physically exposed in many operational technology deployments.
RemediationAI
Update all affected SIMATIC HMI panels to firmware version V21 or later, available from Siemens support portal or via TIA Portal update mechanism. Siemens advisory SSA-387223 at https://cert-portal.siemens.com/productcert/html/ssa-387223.html provides patch download links and installation instructions. Until patching is feasible, implement compensating controls: restrict physical access to HMI Control Panel via locked enclosures or controlled-access zones (reduces local attack vector exposure but impedes legitimate operator access for troubleshooting); enable all available authentication mechanisms in HMI Control Panel settings (note: effectiveness unclear if not enabled by default-consult Siemens documentation for specific security policy configuration); isolate HMI devices on dedicated OT network segments with no internet connectivity and strict access control lists (limits lateral movement post-compromise but does not prevent initial exploitation from local access); implement logging and monitoring of Control Panel access attempts if supported by device firmware (provides detection but not prevention). Side effects: physical access restrictions may slow emergency response; network segmentation requires careful firewall rule management to preserve SCADA/DCS connectivity. Critical for deployments in physically accessible environments or those with insider threat concerns.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29429
GHSA-fg9h-cf2h-vjrx