Skip to main content

SIMATIC HMI Panels EUVDEUVD-2026-29429

| CVE-2026-27662 HIGH
Initialization of a Resource with an Insecure Default (CWE-1188)
2026-05-12 siemens GHSA-fg9h-cf2h-vjrx
Authentication Bypass Simatic Hmi Mtp1000 Unified Comfort Panel Simatic Hmi Mtp1000 Unified Comfort Panel Hygienic Simatic Hmi Mtp1000 Unified Comfort Panel Hygienic Neutral Design Simatic Hmi Mtp1000 Unified Comfort Panel Neutral Simatic Hmi Mtp1200 Comfort Pro For Stand Expandable Flange At The Bottom Simatic Hmi Mtp1200 Comfort Pro For Support Arm Expandable Round Tube And Extension Unit Simatic Hmi Mtp1200 Comfort Pro For Support Arm Not Extendable Flange On Top Simatic Hmi Mtp1200 Comfort Pro Neutral Design For Stand Expandable Flange At The Bottom Simatic Hmi Mtp1200 Comfort Pro Neutral Design For Support Arm Expandable Round Tube And Extensio Simatic Hmi Mtp1200 Comfort Pro Neutral Design For Support Arm Not Extendable Flange On Top Simatic Hmi Mtp1200 Unified Comfort Panel Simatic Hmi Mtp1200 Unified Comfort Panel Hygienic Simatic Hmi Mtp1200 Unified Comfort Panel Hygienic Neutral Design Simatic Hmi Mtp1200 Unified Comfort Panel Neutral Design Simatic Hmi Mtp1500 Comfort Pro For Stand Expandable Flange At The Bottom Simatic Hmi Mtp1500 Comfort Pro For Support Arm Expandable Round Tube And Extension Unit Simatic Hmi Mtp1500 Comfort Pro For Support Arm Not Extendable Flange On Top Simatic Hmi Mtp1500 Comfort Pro Neutral Design For Stand Expandable Flange At The Bottom Simatic Hmi Mtp1500 Comfort Pro Neutral Design For Support Arm Expandable Round Tube And Extensio Simatic Hmi Mtp1500 Comfort Pro Neutral Design For Support Arm Not Extendable Flange On Top Simatic Hmi Mtp1500 Unified Comfort Panel Simatic Hmi Mtp1500 Unified Comfort Panel Hygienic Simatic Hmi Mtp1500 Unified Comfort Panel Hygienic Neutral Design Simatic Hmi Mtp1500 Unified Comfort Panel Neutral Design Simatic Hmi Mtp1900 Comfort Pro For Stand Expandable Flange At The Bottom Simatic Hmi Mtp1900 Comfort Pro For Support Arm Expandable Round Tube And Extension Unit Simatic Hmi Mtp1900 Comfort Pro For Support Arm Not Extendable Flange On Top Simatic Hmi Mtp1900 Comfort Pro Neutral Design For Stand Expandable Flange At The Bottom Simatic Hmi Mtp1900 Comfort Pro Neutral Design For Support Arm Expandable Round Tube And Extensio Simatic Hmi Mtp1900 Comfort Pro Neutral Design For Support Arm Not Extendable Flange On Top Simatic Hmi Mtp1900 Unified Comfort Panel Simatic Hmi Mtp1900 Unified Comfort Panel Hygienic Simatic Hmi Mtp1900 Unified Comfort Panel Hygienic Neutral Design Simatic Hmi Mtp1900 Unified Comfort Panel Neutral Design Simatic Hmi Mtp2200 Comfort Pro For Stand Expandable Flange At The Bottom Simatic Hmi Mtp2200 Comfort Pro For Support Arm Expandable Round Tube And Extension Unit Simatic Hmi Mtp2200 Comfort Pro For Support Arm Not Extendable Flange On Top Simatic Hmi Mtp2200 Comfort Pro Neutral Design For Stand Expandable Flange At The Bottom Simatic Hmi Mtp2200 Comfort Pro Neutral Design For Support Arm Expandable Round Tube And Extensio Simatic Hmi Mtp2200 Comfort Pro Neutral Design For Support Arm Not Extendable Flange On Top Simatic Hmi Mtp2200 Unified Comfort Hygienic Simatic Hmi Mtp2200 Unified Comfort Hygienic Neutral Design Simatic Hmi Mtp2200 Unified Comfort Panel Simatic Hmi Mtp2200 Unified Comfort Panel Neutral Design Simatic Hmi Mtp700 Unified Comfort Panel Simatic Hmi Mtp700 Unified Comfort Panel Hygienic Neutral Design Simatic Hmi Mtp700 Unified Comfort Panel Neutral Design Siplus Hmi Mtp1000 Unified Comfort Siplus Hmi Mtp1200 Unified Comfort Siplus Hmi Mtp700 Unified Comfort
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 12, 2026 - 10:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 12, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 10:22 NVD
7.7 (HIGH) 7.0 (HIGH)
Analysis Generated
May 12, 2026 - 10:03 vuln.today
CVE Published
May 12, 2026 - 08:21 nvd
HIGH 7.7

DescriptionCVE.org

Affected devices do not properly restrict access to the web browser via the Control Panel when no corresponding security mechanisms are in place. This could allow an unauthenticated attacker to gain unauthorized access to the web browser, potentially enabling the discovery of backdoors, performing unauthorized actions, or exploiting misconfigurations that may lead to further system compromise.

AnalysisAI

Local unauthenticated attackers can access the web browser on Siemens SIMATIC HMI Unified Comfort and Comfort Pro panels (all models <V21) via the Control Panel when security mechanisms are not configured. The CVSS v4.0 score of 7.0 reflects high integrity and availability impact (VI:H/VA:H) with local attack vector (AV:L), low complexity (AC:L), and no authentication required (PR:N). The vulnerability is classified as CWE-1188 (Initialization of a Resource with an Insecure Default) and tagged as Authentication Bypass. No public exploit or active exploitation confirmed at time of analysis, but the local access requirement and lack of default protections significantly lower the attack bar in environments where physical or local system access is feasible, such as industrial control settings.

Technical ContextAI

This vulnerability affects Siemens SIMATIC HMI (Human-Machine Interface) panels across the Unified Comfort and Comfort Pro product lines, which run Windows-based operating systems with embedded web browsers for operator interaction and diagnostics. The root cause is CWE-1188 (Initialization of a Resource with an Insecure Default), meaning the Control Panel web browser access control mechanism ships in an insecure default state requiring explicit hardening by operators. The CPE strings identify over 50 affected product variants spanning MTP700, MTP1000, MTP1200, MTP1500, MTP1900, and MTP2200 models in standard, hygienic, and neutral design form factors, including SIPLUS rugged variants. These devices are typically deployed in manufacturing, process control, and critical infrastructure environments where they provide touchscreen interfaces to SCADA/DCS systems. The local attack vector (AV:L) in CVSS v4.0 indicates exploitation requires existing access to the device's Control Panel interface, which is physically exposed in many operational technology deployments.

RemediationAI

Update all affected SIMATIC HMI panels to firmware version V21 or later, available from Siemens support portal or via TIA Portal update mechanism. Siemens advisory SSA-387223 at https://cert-portal.siemens.com/productcert/html/ssa-387223.html provides patch download links and installation instructions. Until patching is feasible, implement compensating controls: restrict physical access to HMI Control Panel via locked enclosures or controlled-access zones (reduces local attack vector exposure but impedes legitimate operator access for troubleshooting); enable all available authentication mechanisms in HMI Control Panel settings (note: effectiveness unclear if not enabled by default-consult Siemens documentation for specific security policy configuration); isolate HMI devices on dedicated OT network segments with no internet connectivity and strict access control lists (limits lateral movement post-compromise but does not prevent initial exploitation from local access); implement logging and monitoring of Control Panel access attempts if supported by device firmware (provides detection but not prevention). Side effects: physical access restrictions may slow emergency response; network segmentation requires careful firewall rule management to preserve SCADA/DCS connectivity. Critical for deployments in physically accessible environments or those with insider threat concerns.

Share

EUVD-2026-29429 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy