Full Report
SIMATIC HMI Unified Comfort Panels before V21.0 are affected by a vulnerability that allows an unauthenticated attacker to access the web browser via the help link. This vulnerability allows an attacker to access the web browser through the Control Panel if it is not protected by the corresponding security mechanisms. This opens the possibility for the attacker to find backdoors, which might lead to unwanted misconfigurations. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Unauthenticated Control Panel Escape in SIMATIC HMI Unified Comfort Panels
## CVE Details
- **CVE ID:** CVE-2026-27662
- **CVSS Score:**
- CVSS v3.1: 7.7 (High)
- CVSS v4.0: 7.0 (High)
- **CWE:** CWE-1188: Initialization of a Resource with an Insecure Default
## Affected Systems
- **Products:**
- SIMATIC HMI Unified Comfort Panels (Standard and Hygienic family)
- Specific example: MTP700 Unified Comfort Panel hygienic neutral design (6AV2128-3GB40-0AX0)
- **Versions:** All versions before V21.0
- **Configurations:** Systems where the Control Panel is not protected by explicit security mechanisms and specific Taskbar settings are active.
## Vulnerability Description
The affected devices fail to properly restrict access to the integrated web browser via the help link within the Control Panel. Due to insecure default settings, an unauthenticated user with local access can bypass intended restrictions to launch the web browser. This "escape" from the restricted HMI environment allows an attacker to explore the underlying system, identify backdoors, or modify system configurations that should be inaccessible.
## Exploitation
- **Status:** Not exploited (No known PoC available at time of advisory)
- **Complexity:** Low
- **Attack Vector:** Local (Requires physical/local access to the HMI interface)
## Impact
- **Confidentiality:** None (Based on CVSS:3.1/VC:N)
- **Integrity:** High (Potential for unauthorized misconfigurations)
- **Availability:** High (Potential to disrupt HMI operations via system-level changes)
## Remediation
### Patches
- Siemens recommends updating all affected SIMATIC HMI Unified Comfort Panels to **V21.0 or later**.
### Workarounds
If an update is not immediately possible, Siemens recommends the following mitigations:
- **Enable Access Protection:** Secure the Control Panel with a password to prevent unauthorized entry.
- **Deactivate Taskbar:** Disable the taskbar within "System Properties > Taskbar" to limit navigation escapes.
- **Change Autostart Settings:** Adjust "Runtime Autostart" settings to ensure the device boots into a secured state.
- **General Security:** Follow the HMI security guidelines (Document ID: 109481300), specifically chapters 3.2, 3.4.1, and 3.4.2.
## Detection
- **Indicators of compromise:** Presence of unauthorized browser history or configuration changes on the HMI panel that occurred outside of maintenance windows.
- **Detection methods:** Audit local device logs for unauthorized access to the Control Panel or the execution of the web browser process from the HMI environment.
## References
- **Siemens Security Advisory SSA-387223:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-387223[.]pdf
- **Siemens Operational Guidelines for Industrial Security:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **HMI Security Manual:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109481300