Siemens Issues Security Updates for Multiple Industrial and Engineering Products
Siemens published security advisories for multiple products, prompting both CISA ICS advisories and a Canadian Centre for Cyber Security alert covering a broad set of affected industrial/engineering software and OT-adjacent components. Reported issues include a stored XSS in Siemens Polarion (CVE-2025-40587; CVSS 7.6) where authenticated users can inject JavaScript via crafted document titles, and local privilege escalation paths in Siemens SINEC NMS and its User Management Component (UMC) (CVE-2026-25655, CVE-2026-25656; CVSS 7.8) that allow low-privileged users to modify configuration/search paths to load malicious DLLs and potentially gain elevated execution (including SYSTEM-level impact). Siemens also addressed a missing authorization condition affecting Siveillance Video Management Servers Webhooks/MIP Webhooks API (CVSS 6.3), enabling a read-only user to obtain full API access.
Additional advisories cover file-parsing and third-party component risks that can lead to crashes or potential code execution. Siemens NX is affected by multiple CGM file parsing flaws (CVE-2026-22923/22924/22925; CVSS 7.8) that can be triggered when a user opens a malicious file, and Siemens Solid Edge includes an out-of-bounds read in the PS/IGES Parasolid translator when processing crafted IGS files (CVSS 7.8). Desigo CC and SENTRON Powermanager are impacted via the third-party WIBU Systems CodeMeter Runtime chain tied to CVE-2023-38545 (curl SOCKS5 heap overflow; CVSS 8.8), with Siemens providing component update instructions. Siemens SINEC OS before V3.3 aggregates a large set of third-party CVEs across supported platforms, and Siemens COMOS advisories include multiple issues (up to CVSS 10) spanning potential code execution, DoS, data exposure, and access control violations; Siemens recommends updating where fixes are available and applying countermeasures where they are not yet released.
Related Entities
Vulnerabilities
Organizations
Sources
4 more from sources like cisa advisories and ca ccs
Related Stories
CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including **critical** issues in *AVEVA Process Optimization* (multiple CVEs) that could enable unauthenticated **remote code execution**, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several **Siemens** product lines, including a DoS condition in **SIMATIC/SIPLUS ET 200** components triggered via an S7 protocol disconnect request (`CVE-2025-40944`), a TLS certificate upload input-validation issue that can crash/reboot **RUGGEDCOM ROS** devices (`CVE-2025-40935`), a local privilege escalation in **TeleControl Server Basic** prior to V3.1.2.4 (`CVE-2025-40942`), and multiple issues in **SINEC Security Monitor** (including improper authorization in `ssmctl-client` file transfer and report-generation DoS; `CVE-2025-40830`, `CVE-2025-40831`). CISA also noted vulnerabilities affecting **Siemens Industrial Edge** ecosystems, including an authorization bypass in the **Industrial Edge Device Kit** (`CVE-2025-40805`) and authentication enforcement weaknesses on specific API endpoints in **Industrial Edge Devices** that could allow impersonation if an attacker knows a legitimate user identity. Other CISA advisories covered **Schneider Electric EcoStruxure Power Build Rapsody** (`CVE-2025-13844`), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and **Rockwell Automation FactoryTalk DataMosaix Private Cloud** (`CVE-2025-12807`), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about **YoSmart/YoLink** weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity **AsyncOS** vulnerability under active exploitation (`CVE-2025-20393`) affecting *Secure Email Gateway* and *Secure Email and Web Manager* appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to **UAT-9686**; this is a separate enterprise email-security incident and not part of the ICS advisory set.
2 months ago
CISA and Canadian Cyber Centre Advisories Highlight Multiple ICS and Enterprise Vulnerabilities
The Canadian Centre for Cyber Security issued multiple advisories summarizing vendor and CISA disclosures from Feb 9–15, urging organizations to patch widely used platforms. This included **Linux kernel** fixes across supported Ubuntu releases (16.04 through 25.10) and a broad set of **Dell** and **IBM** product updates affecting backup/DR, infrastructure, and automation/transaction systems (e.g., *Dell Avamar/NetWorker/PowerEdge/IDPA/iDRAC Service Module* and *IBM Business Automation Workflow, Operational Decision Manager, Sterling components, webMethods Integration*, and others). CISA also published ICS advisories covering several industrial products with potentially high-impact outcomes. **Siemens Simcenter Femap and Nastran** were reported vulnerable to multiple `NDB`/`XDB` file-parsing issues (CVE-2026-23715 through CVE-2026-23720) that can be triggered via malicious files and may lead to crashes or **arbitrary code execution** (CVSS 7.8), with Siemens recommending upgrades. **GE Vernova Enervista UR Setup** versions `< 8.70` were reported vulnerable to **DLL hijacking** and **path traversal** (CVE-2026-1762, CVE-2026-1763; CVSS 7.8), potentially enabling elevated code execution. Separately, CISA advisory `ICSA-26-043-10` described a **critical** unauthenticated **remote code execution** risk in **Airleader Master** `<= 6.381` due to an unrestricted file upload flaw (CVE-2026-1358; CVSS 9.8); CISA noted no known public exploits at the time and recommended exposure reduction measures such as network segmentation and restricting internet access to control systems.
4 weeks agoMultiple Critical Vulnerabilities Disclosed in Industrial Control Systems by CISA
CISA released thirteen advisories detailing critical vulnerabilities affecting a range of industrial control system (ICS) products from major vendors including Rockwell Automation, Siemens, Hitachi Energy, Schneider Electric, and Delta Electronics. The advisories highlight severe security flaws such as missing authentication for critical functions, improper authorization, buffer overflows, SQL injection, and improper certificate validation. For Siemens TeleControl Server Basic, a vulnerability (CVE-2025-40765) allows unauthenticated remote attackers to obtain password hashes and perform authenticated operations on the database service, with a CVSS v3.1 score of 9.8, indicating critical risk. Rockwell Automation's FactoryTalk View Machine Edition and PanelView Plus 7 are susceptible to path traversal and improper authorization, potentially granting attackers unauthorized access to device file systems and sensitive diagnostic information. FactoryTalk ViewPoint is vulnerable to XML external entity injection, which could result in denial-of-service conditions. Siemens SiPass Integrated faces multiple issues, including buffer overflows and cross-site scripting, which could enable arbitrary code execution and unauthorized access. The Siemens SIMATIC ET 200SP Communication Processors have a missing authentication flaw that could allow attackers to access configuration data remotely. Siemens SINEC NMS is affected by a SQL injection vulnerability that could let low-privileged users escalate privileges. Siemens Solid Edge products are exposed to out-of-bounds read and write vulnerabilities, risking application crashes or code execution. Siemens HyperLynx and Industrial Edge App Publisher are vulnerable to type confusion, potentially leading to arbitrary code execution via crafted HTML pages. Hitachi Energy MACH GWS products have incorrect default permissions and improper validation issues, which could allow attackers to tamper with system files, cause denial of service, or perform man-in-the-middle attacks. The advisories provide technical details, affected product versions, and recommended mitigations, urging administrators to review and apply patches or workarounds. The vulnerabilities impact critical infrastructure sectors such as manufacturing, energy, water, and transportation, with products deployed worldwide. Many of the flaws are remotely exploitable with low attack complexity, increasing the urgency for remediation. CISA emphasizes the importance of timely action to prevent exploitation, as several vulnerabilities could lead to unauthorized access, data manipulation, or disruption of essential services. The advisories also reference the need to consult vendor-specific security updates for the most current information. Organizations are advised to assess their exposure, prioritize patching, and implement recommended security controls to mitigate these risks. The coordinated disclosure underscores the ongoing threat to ICS environments and the necessity for robust security practices across operational technology networks.
5 months ago