Siemens Discovers Vulnerabilities in Sinamics Perfect Harmony GH180 Fieldbus Network and Drives

Siemens identified a high-severity vulnerability in the Siemens Sinamics Perfect Harmony GH180 Fieldbus Network. An attacker having a low level skill could remotely exploit the vulnerability without the need for privileges or user interaction.

  • The following medium voltage converters are affected by the vulnerability:
  • Siemens Sinamics Perfect Harmony GH180 with NXG I control
  • Siemens Sinamics Perfect Harmony GH180 with NXG II control: MLFBs: 6SR2. . . -, 6SR3. . . -, 6SR4. . . -:

All versions using option G21, G22, G23, G26, G28, G31, G32, G38, G43 or G46 are affected by the vulnerability.

The vulnerability involves improper input validation and an attacker can exploit it to bring about a denial-of-service issue by sending specifically made packets to the gadget, causing the device to reboot thus compromising system availability. To exploit the vulnerability requires device network access.

CVE-2019-6574 – The assigned CVSSv3 base score of this vulnerability is 7.5 out of 10.

To fix the vulnerability, users need to upgrade the device to NXGpro control. When it’s not possible to upgrade, do the following suggested workaround:

  • Turn off the fieldbus parameter read/write function
  • Use the cell protection concept and execute in-depth defense

Siemens Sinamics Perfect Harmony GH180 Drives NXG I and NXG II Vulnerability


Siemens also identified a high-severity vulnerability in Sinamics Perfect Harmony GH180 Drives (NXG I and NXG II). The vulnerabillity can be remotely exploited by an attacker with a low level of skill, and requires no privileges or user interaction.

If exploited, a person who has access to the Ethernet Modbus Interface can cause a denial-of-service status going beyond the quantity of available connections and affect system availability.

The vulnerability was found in all

  • GH180 versions with NXG I control
  • CH180 with NXG II control (MLFBs: 6SR2. . . -, 6SR3. . . -, 6SR4. . . -)

The assigned CVSSv3 base score of this vulnerability – CVE-2019-6578 – is 7.5 out of 10.

To fix the vulnerability, users need to upgrade their device to NXGpro control. If it’s not possible to apply the upgrade, do the following recommended workaround:

  • Install a protocol bridge to isolate the networks and remove direct links to the Ethernet Modbus Interface.
  • Use the cell protection concept and execute in depth defense.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone