CVE-2022-40227

Summary

A vulnerability has been identified in SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions < V17 Update 4), SIMATIC HMI KTP Mobile Panels (All versions < V17 Update 4), SIMATIC HMI KTP1200 Basic (All versions < V17 Update 5), SIMATIC HMI KTP400 Basic (All versions < V17 Update 5), SIMATIC HMI KTP700 Basic (All versions < V17 Update 5), SIMATIC HMI KTP900 Basic (All versions < V17 Update 5), SIPLUS HMI KTP1200 BASIC (All versions < V17 Update 5), SIPLUS HMI KTP400 BASIC (All versions < V17 Update 5), SIPLUS HMI KTP700 BASIC (All versions < V17 Update 5), SIPLUS HMI KTP900 BASIC (All versions < V17 Update 5). Affected devices do not properly validate input sent to certain services over TCP. This could allow an unauthenticated remote attacker to cause a permanent denial of service condition (requiring a device reboot) by sending specially crafted TCP packets.

Affected Software

VendorProductVersion RangeStatus
SiemensSIMATIC HMI Comfort Panels (incl. SIPLUS variants)All versions < V17 Update 4affected
SiemensSIMATIC HMI KTP Mobile PanelsAll versions < V17 Update 4affected
SiemensSIMATIC HMI KTP1200 BasicAll versions < V17 Update 5affected
SiemensSIMATIC HMI KTP400 BasicAll versions < V17 Update 5affected
SiemensSIMATIC HMI KTP700 BasicAll versions < V17 Update 5affected
SiemensSIMATIC HMI KTP900 BasicAll versions < V17 Update 5affected
SiemensSIPLUS HMI KTP1200 BASICAll versions < V17 Update 5affected
SiemensSIPLUS HMI KTP400 BASICAll versions < V17 Update 5affected
SiemensSIPLUS HMI KTP700 BASICAll versions < V17 Update 5affected
SiemensSIPLUS HMI KTP900 BASICAll versions < V17 Update 5affected

Weaknesses

  • CWE-20: CWE-20: Improper Input Validation

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References