Siemens Issues Security Updates for Multiple Industrial and Engineering Products
Siemens published security advisories for multiple products, prompting both CISA ICS advisories and a Canadian Centre for Cyber Security alert covering a broad set of affected industrial/engineering software and OT-adjacent components. Reported issues include a stored XSS in Siemens Polarion (CVE-2025-40587; CVSS 7.6) where authenticated users can inject JavaScript via crafted document titles, and local privilege escalation paths in Siemens SINEC NMS and its User Management Component (UMC) (CVE-2026-25655, CVE-2026-25656; CVSS 7.8) that allow low-privileged users to modify configuration/search paths to load malicious DLLs and potentially gain elevated execution (including SYSTEM-level impact). Siemens also addressed a missing authorization condition affecting Siveillance Video Management Servers Webhooks/MIP Webhooks API (CVSS 6.3), enabling a read-only user to obtain full API access.
Additional advisories cover file-parsing and third-party component risks that can lead to crashes or potential code execution. Siemens NX is affected by multiple CGM file parsing flaws (CVE-2026-22923/22924/22925; CVSS 7.8) that can be triggered when a user opens a malicious file, and Siemens Solid Edge includes an out-of-bounds read in the PS/IGES Parasolid translator when processing crafted IGS files (CVSS 7.8). Desigo CC and SENTRON Powermanager are impacted via the third-party WIBU Systems CodeMeter Runtime chain tied to CVE-2023-38545 (curl SOCKS5 heap overflow; CVSS 8.8), with Siemens providing component update instructions. Siemens SINEC OS before V3.3 aggregates a large set of third-party CVEs across supported platforms, and Siemens COMOS advisories include multiple issues (up to CVSS 10) spanning potential code execution, DoS, data exposure, and access control violations; Siemens recommends updating where fixes are available and applying countermeasures where they are not yet released.
How this story unfolded
22 events from the most recent confirmed update back to the earliest known activity.
CISA republishes Siemens Teamcenter multiple-vulnerability advisory
On 2026-05-14, CISA republished Siemens ProductCERT advisory SSA-827383 covering three vulnerabilities in Siemens Teamcenter, including a missing type check issue in PDF.js handling, a cross-site scripting flaw, and a hard-coded credential issue. Siemens identified affected Teamcenter versions across V2312 through V2512, released updated versions to remediate the issues, and recommended customers update and follow standard ICS exposure-reduction measures.
CISA republishes Siemens Opcenter RDnL advisory
On 2026-05-14, CISA republished a Siemens ProductCERT advisory for a high-severity missing authentication vulnerability in Apache ActiveMQ Artemis affecting Siemens Opcenter RDnL. Siemens recommended updating to the latest ActiveMQ Artemis version and applying network protection and ICS segmentation measures to reduce risks including message injection, message exfiltration, and availability impacts.
CISA republishes Siemens SIMATIC S7 PLC Web Server XSS advisory
On 2026-05-14, CISA republished a Siemens advisory for a stored cross-site scripting vulnerability in the SIMATIC S7 PLC Web Server affecting numerous SIMATIC and SIPLUS industrial automation products. Siemens said the flaw stems from improper validation of the PLC or station name shown on the communication parameters page, allowing an authenticated attacker who can download a TIA project to inject script that executes in another authorized user's browser session.
CISA republishes Siemens SENTRON 7KT PAC1261 Data Manager advisory
On 2026-05-14, CISA republished a Siemens ProductCERT advisory for a critical HTTP request smuggling vulnerability in Siemens SENTRON 7KT PAC1261 Data Manager before version 2.1.0. Siemens said exploitation could let an attacker retrieve authorization tokens and gain administrative control, and recommended updating to version 2.1.0 or later and restricting network access.
CISA republishes Siemens SIMATIC CN 4100 vulnerability advisory
On 2026-05-14, CISA republished Siemens ProductCERT advisory SSA-032379 covering numerous third-party and product-specific vulnerabilities affecting Siemens SIMATIC CN 4100. The advisory highlighted multiple high- and critical-severity flaws, including Linux kernel, OpenSSL, Apache Tomcat, Oracle Java, and Siemens-specific denial-of-service and unauthenticated connection issues, and recommended network isolation and exposure-reduction measures.
CISA republishes Siemens gWAP remote code execution advisory
On 2026-05-14, CISA republished a Siemens ProductCERT advisory for a high-severity remote code execution vulnerability affecting Siemens gPROMS Web Applications Publisher (gWAP) through vulnerable versions of the third-party Axios HTTP client library. Siemens identified gWAP as affected, released a new version, and recommended customers update while CISA also advised standard ICS exposure-reduction and network-segmentation measures.
ZDI discloses Siemens Simcenter Femap IPT parsing RCE
On 2026-05-12, Zero Day Initiative publicly disclosed ZDI-26-316 / CVE-2025-12659, a CVSS 7.8 remote code execution vulnerability in Siemens Simcenter Femap caused by improper validation when parsing IPT files. Siemens issued an update to remediate the flaw, which had been responsibly reported to the vendor in August 2025.
Siemens publishes ProductCERT advisory SSA-870926
On 2026-05-12, Siemens ProductCERT published security advisory SSA-870926. The reference indicates a new Siemens vulnerability disclosure event distinct from previously tracked advisories, though no synopsis or affected-product details are provided in the source summary.
Canadian Centre for Cyber Security issues Siemens advisory AV26-448
On 2026-05-12, the Canadian Centre for Cyber Security published alert AV26-448 covering a new Siemens security advisory addressing vulnerabilities across numerous industrial, networking, engineering, and management products. The notice urged administrators to review Siemens guidance, apply mitigations, and install updates; for RUGGEDCOM APE1808, Siemens directed customers to contact support for patch information.
CISA republishes Siemens SCALANCE W-700 vulnerability advisory
On 2026-04-21, CISA republished a Siemens ProductCERT advisory covering multiple high-severity vulnerabilities in SCALANCE W-700 IEEE 802.11n family devices before version 6.6.0, including flaws that could enable packet injection, privilege escalation, root shell execution, denial of service, information disclosure, or web compromise. Siemens released version 6.6.0 to address the issues and recommended customers update affected devices and follow network isolation and exposure-reduction measures.
CISA republishes Siemens SINEC NMS authentication bypass advisory
On 2026-04-21, CISA republished a Siemens ProductCERT advisory for a high-severity authentication bypass vulnerability in Siemens SINEC NMS when used with the User Management Component (UMC). Siemens said the flaw could allow an unauthenticated remote attacker to gain unauthorized access and released a new version of SINEC NMS, while CISA and Siemens recommended updating and applying standard network isolation measures.
CISA republishes Siemens Analytics Toolkit vulnerability advisory
On 2026-04-21, CISA republished a Siemens ProductCERT advisory for CVE-2025-40745, an improper certificate validation flaw in Siemens Analytics Toolkit that could enable man-in-the-middle attacks against Analytics Service connections. The advisory identified affected Siemens applications including Siemens Software Center, Simcenter products, Solid Edge, and Tecnomatix Plant Simulation, and noted Siemens had released updated versions and recommended customers upgrade.
CISA republishes Siemens SINEC NMS authorization bypass advisory
On 2026-04-21, CISA republished a Siemens ProductCERT advisory for a high-severity authorization bypass flaw in Siemens SINEC NMS before V4.0 SP3 that could let an authenticated remote attacker reset arbitrary user passwords. Siemens released version 4.0 SP3 to fix the issue and advised customers to update.
Canadian Centre for Cyber Security issues Siemens advisory AV26-347
On 2026-04-14, the Canadian Centre for Cyber Security published alert AV26-347 covering newly issued Siemens security advisories for a broad range of software, industrial, networking, and engineering products. The notice urged administrators to review Siemens guidance, apply mitigations, and install updates for affected products including Siemens Software Center, Simcenter products, Solid Edge, SINEC NMS, RUGGEDCOM CROSSBOW, SIPROTEC 5, SIMATIC systems, Industrial Edge Management, and SCALANCE W-700 devices.
Siemens publishes ProductCERT advisory SSA-246443
On 2026-03-26, Siemens ProductCERT published security advisory SSA-246443. The reference indicates a new Siemens vulnerability disclosure event distinct from the February advisory set and preceding the broader April 2026 advisory activity.
CISA republishes Siemens ICS advisories to increase visibility
On 2026-02-12, CISA republished Siemens ProductCERT advisories for the affected Siemens products, including SINEC NMS, Siveillance Video Management Servers, NX, Desigo CC, SENTRON Powermanager, Solid Edge, SINEC OS, COMOS, and Polarion. The republications summarized the disclosed vulnerabilities, available fixes, and standard ICS hardening recommendations.
Canadian Centre for Cyber Security urges users to apply Siemens mitigations
On 2026-02-10, the Canadian Centre for Cyber Security issued alert AV26-106 summarizing Siemens' advisories and urging administrators to review the vendor guidance, apply mitigations, and install necessary updates. The notice highlighted affected engineering, OT management, building management, power management, video management, and ALM products.
Siemens publishes February 2026 security advisories for multiple product lines
On 2026-02-10, Siemens published a coordinated set of security advisories covering multiple products including SINEC NMS, Siveillance Video Management Servers, NX, Desigo CC, SENTRON Powermanager, Solid Edge, SINEC OS, COMOS, and Polarion. The advisories disclosed vulnerabilities and provided updates, hotfixes, or mitigation guidance for affected customers.
CISA stops issuing ICS advisories for Siemens product vulnerabilities
By 2025-11-20, reporting indicated that CISA had stopped publishing ICS security advisories for Siemens product vulnerabilities. This marked a change in how Siemens vulnerability disclosures were being surfaced through U.S. government ICS advisory channels.
CISA-covered October 2024 Siemens ICS advisories disclose 34 vulnerabilities
Between 2024-10-08 and 2024-10-14, ICS advisories covered 34 Siemens vulnerabilities across products including Tecnomatix Plant Simulation, SENTRON 7KM PAC3200, Simcenter Nastran, and SINEC Security Monitor. Reported issues included arbitrary code execution, denial of service, argument injection, and an improper authentication flaw in SENTRON 7KM PAC3200 for which Siemens said no fix was planned.
Siemens releases 22 security advisories in March 2024 batch
On 2024-03-12, Siemens released 22 security advisories, including 11 new advisories and 11 updated advisories. The batch included three critical and six high-severity new advisories, and most were later correlated with CISA ICS advisories, except SSA-552874 covering a denial-of-service flaw in SIPROTEC 5 Devices.
Siemens publishes ProductCERT advisory SSA-626968
Siemens ProductCERT published security advisory SSA-626968, indicating a new vendor vulnerability disclosure event distinct from the previously tracked February, March, and April 2026 Siemens advisories. The reference establishes the existence of a separate advisory, though affected products and technical details are not provided in the source summary.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
30 references tracked. Mallory keeps watching after this page renders.
Siemens Simcenter Femap | CISA
cisa.gov
Open sourceSiemens Opcenter RDnL | CISA
cisa.gov
Open sourceSiemens SIMATIC S7 PLC Web Server | CISA
cisa.gov
Open sourceSiemens SENTRON 7KT PAC1261 Data Manager | CISA
cisa.gov
Open source#cisa #siemens #vulnerabilitymanagement #icssecurity #ics #ot | ICS Advisory Project
linkedin.com
Open sourceCISA Stops ICS Security Advisories for Siemens Product Vulnerabilities - Decision Insights
decisioninsights.ai
Open sourceICS Report: 54 New Vulnerabilities In Siemens & Rockwell
cyble.com
Open sourceSiemens Product Advisories
cert-portal.siemens.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including **critical** issues in *AVEVA Process Optimization* (multiple CVEs) that could enable unauthenticated **remote code execution**, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several **Siemens** product lines, including a DoS condition in **SIMATIC/SIPLUS ET 200** components triggered via an S7 protocol disconnect request (`CVE-2025-40944`), a TLS certificate upload input-validation issue that can crash/reboot **RUGGEDCOM ROS** devices (`CVE-2025-40935`), a local privilege escalation in **TeleControl Server Basic** prior to V3.1.2.4 (`CVE-2025-40942`), and multiple issues in **SINEC Security Monitor** (including improper authorization in `ssmctl-client` file transfer and report-generation DoS; `CVE-2025-40830`, `CVE-2025-40831`). CISA also noted vulnerabilities affecting **Siemens Industrial Edge** ecosystems, including an authorization bypass in the **Industrial Edge Device Kit** (`CVE-2025-40805`) and authentication enforcement weaknesses on specific API endpoints in **Industrial Edge Devices** that could allow impersonation if an attacker knows a legitimate user identity. Other CISA advisories covered **Schneider Electric EcoStruxure Power Build Rapsody** (`CVE-2025-13844`), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and **Rockwell Automation FactoryTalk DataMosaix Private Cloud** (`CVE-2025-12807`), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about **YoSmart/YoLink** weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity **AsyncOS** vulnerability under active exploitation (`CVE-2025-20393`) affecting *Secure Email Gateway* and *Secure Email and Web Manager* appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to **UAT-9686**; this is a separate enterprise email-security incident and not part of the ICS advisory set.
Mar 21, 2026
CISA and Canadian Cyber Centre Advisories Highlight Multiple ICS and Enterprise Vulnerabilities
The Canadian Centre for Cyber Security issued multiple advisories summarizing vendor and CISA disclosures from Feb 9–15, urging organizations to patch widely used platforms. This included **Linux kernel** fixes across supported Ubuntu releases (16.04 through 25.10) and a broad set of **Dell** and **IBM** product updates affecting backup/DR, infrastructure, and automation/transaction systems (e.g., *Dell Avamar/NetWorker/PowerEdge/IDPA/iDRAC Service Module* and *IBM Business Automation Workflow, Operational Decision Manager, Sterling components, webMethods Integration*, and others). CISA also published ICS advisories covering several industrial products with potentially high-impact outcomes. **Siemens Simcenter Femap and Nastran** were reported vulnerable to multiple `NDB`/`XDB` file-parsing issues (CVE-2026-23715 through CVE-2026-23720) that can be triggered via malicious files and may lead to crashes or **arbitrary code execution** (CVSS 7.8), with Siemens recommending upgrades. **GE Vernova Enervista UR Setup** versions `< 8.70` were reported vulnerable to **DLL hijacking** and **path traversal** (CVE-2026-1762, CVE-2026-1763; CVSS 7.8), potentially enabling elevated code execution. Separately, CISA advisory `ICSA-26-043-10` described a **critical** unauthenticated **remote code execution** risk in **Airleader Master** `<= 6.381` due to an unrestricted file upload flaw (CVE-2026-1358; CVSS 9.8); CISA noted no known public exploits at the time and recommended exposure reduction measures such as network segmentation and restricting internet access to control systems.
Mar 21, 2026
Siemens SICAM 8 Flaws Expose OT Devices to Denial-of-Service
Siemens disclosed multiple vulnerabilities in **SICAM 8** industrial control system products affecting **CPCI85 Central Processing/Communication**, **RTUM85 RTU Base**, and the **SICORE Base system**, with vulnerable versions identified as releases prior to **V26.10** or **V26.10.0** depending on the product. The issues are tracked as **`CVE-2026-27663`** and **`CVE-2026-27664`**, and can allow denial-of-service conditions in operational technology environments. Siemens published advisory **`SSA-246443`**, while the Canadian Centre for Cyber Security and CISA both urged asset owners to review the vendor guidance and apply the recommended updates. According to CISA, **`CVE-2026-27663`** is a resource exhaustion flaw in remote operation mode that can block parameterization and may require a reset or reboot, while **`CVE-2026-27664`** is an out-of-bounds write triggered by specially crafted XML input that can crash the affected service. Siemens has released fixed versions and advised organizations to validate patches before deployment and harden network access with segmentation, firewalls, and VPNs; CISA further recommended minimizing internet exposure of control systems and isolating OT networks from business networks to reduce the risk of disruption.
Apr 2, 2026