Siemens SIMATIC and SICAM Products Vulnerable to Trace-File Code Injection and Other Flaws
CISA published an ICS advisory warning that multiple Siemens SIMATIC controllers do not properly sanitize the contents of imported trace files, enabling code injection if an attacker can socially engineer a legitimate user into importing a specially crafted trace file. The affected product set includes a broad range of SIMATIC devices, including SIMATIC Drive Controller CPU 1504D/1507D TF, multiple SIMATIC ET 200SP CPU variants (including fail-safe models), and SIMATIC S7-1500 CPUs, among others.
CERT-FR also issued an advisory covering multiple vulnerabilities in Siemens products, listing impacts that include remote code execution, denial of service, and indirect code injection (XSS), and enumerating overlapping affected systems such as the same SIMATIC Drive Controller and SIMATIC ET 200SP families. CERT-FR explicitly references CVE-2025-40943 for several of these SIMATIC devices and additionally notes other Siemens components (e.g., SICAM SIAPP SDK versions prior to 2.1.7), indicating the Siemens security updates/mitigations span more than one product line and vulnerability class beyond the trace-file injection issue highlighted by CISA.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA publishes ICS advisory on Siemens SIMATIC trace file code injection flaw
On 2026-03-12, CISA published advisory ICSA-26-071-04 describing a Siemens SIMATIC vulnerability in which improperly sanitized trace file contents could allow code injection if a user imports a specially crafted file. The advisory listed numerous affected SIMATIC controller, PLC, software controller, and SIPLUS variants as known affected.
CERT-FR publishes advisory on multiple Siemens product vulnerabilities
On 2026-03-10, CERT-FR published an alert summarizing multiple vulnerabilities in Siemens products such as SIMATIC Drive Controller, SIMATIC ET 200SP, and SIMATIC S7-1500 families. The notice directed users to Siemens bulletins for remediation and noted varying affected-version ranges across products.
Siemens issues security bulletins for multiple SIMATIC vulnerabilities
On 2026-03-10, Siemens published security bulletins covering multiple vulnerabilities affecting SIMATIC and related products, including issues that could lead to remote code execution, data integrity impact, denial of service, and cross-site scripting. The advisories referenced fixes for affected versions and listed CVEs including CVE-2025-40943 and CVE-2026-25569 through CVE-2026-25605.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Siemens SICAM 8 Flaws Expose OT Devices to Denial-of-Service
Siemens disclosed multiple vulnerabilities in **SICAM 8** industrial control system products affecting **CPCI85 Central Processing/Communication**, **RTUM85 RTU Base**, and the **SICORE Base system**, with vulnerable versions identified as releases prior to **V26.10** or **V26.10.0** depending on the product. The issues are tracked as **`CVE-2026-27663`** and **`CVE-2026-27664`**, and can allow denial-of-service conditions in operational technology environments. Siemens published advisory **`SSA-246443`**, while the Canadian Centre for Cyber Security and CISA both urged asset owners to review the vendor guidance and apply the recommended updates. According to CISA, **`CVE-2026-27663`** is a resource exhaustion flaw in remote operation mode that can block parameterization and may require a reset or reboot, while **`CVE-2026-27664`** is an out-of-bounds write triggered by specially crafted XML input that can crash the affected service. Siemens has released fixed versions and advised organizations to validate patches before deployment and harden network access with segmentation, firewalls, and VPNs; CISA further recommended minimizing internet exposure of control systems and isolating OT networks from business networks to reduce the risk of disruption.
Apr 2, 2026
Siemens Issues Security Updates for Multiple Industrial and Engineering Products
**Siemens published security advisories for multiple products**, prompting both CISA ICS advisories and a Canadian Centre for Cyber Security alert covering a broad set of affected industrial/engineering software and OT-adjacent components. Reported issues include a **stored XSS** in *Siemens Polarion* (CVE-2025-40587; CVSS 7.6) where authenticated users can inject JavaScript via crafted document titles, and **local privilege escalation** paths in *Siemens SINEC NMS* and its *User Management Component (UMC)* (CVE-2026-25655, CVE-2026-25656; CVSS 7.8) that allow low-privileged users to modify configuration/search paths to load malicious DLLs and potentially gain elevated execution (including SYSTEM-level impact). Siemens also addressed a **missing authorization** condition affecting *Siveillance Video Management Servers* Webhooks/MIP Webhooks API (CVSS 6.3), enabling a read-only user to obtain full API access. Additional advisories cover file-parsing and third-party component risks that can lead to crashes or potential code execution. *Siemens NX* is affected by multiple **CGM file parsing** flaws (CVE-2026-22923/22924/22925; CVSS 7.8) that can be triggered when a user opens a malicious file, and *Siemens Solid Edge* includes an **out-of-bounds read** in the PS/IGES Parasolid translator when processing crafted IGS files (CVSS 7.8). *Desigo CC* and *SENTRON Powermanager* are impacted via the third-party *WIBU Systems CodeMeter Runtime* chain tied to **CVE-2023-38545** (curl SOCKS5 heap overflow; CVSS 8.8), with Siemens providing component update instructions. *Siemens SINEC OS* before V3.3 aggregates a large set of third-party CVEs across supported platforms, and *Siemens COMOS* advisories include multiple issues (up to CVSS 10) spanning potential code execution, DoS, data exposure, and access control violations; Siemens recommends updating where fixes are available and applying countermeasures where they are not yet released.
May 14, 2026
Multiple Critical Vulnerabilities Disclosed in Industrial Control Systems by CISA
CISA released thirteen advisories detailing critical vulnerabilities affecting a range of industrial control system (ICS) products from major vendors including Rockwell Automation, Siemens, Hitachi Energy, Schneider Electric, and Delta Electronics. The advisories highlight severe security flaws such as missing authentication for critical functions, improper authorization, buffer overflows, SQL injection, and improper certificate validation. For Siemens TeleControl Server Basic, a vulnerability (CVE-2025-40765) allows unauthenticated remote attackers to obtain password hashes and perform authenticated operations on the database service, with a CVSS v3.1 score of 9.8, indicating critical risk. Rockwell Automation's FactoryTalk View Machine Edition and PanelView Plus 7 are susceptible to path traversal and improper authorization, potentially granting attackers unauthorized access to device file systems and sensitive diagnostic information. FactoryTalk ViewPoint is vulnerable to XML external entity injection, which could result in denial-of-service conditions. Siemens SiPass Integrated faces multiple issues, including buffer overflows and cross-site scripting, which could enable arbitrary code execution and unauthorized access. The Siemens SIMATIC ET 200SP Communication Processors have a missing authentication flaw that could allow attackers to access configuration data remotely. Siemens SINEC NMS is affected by a SQL injection vulnerability that could let low-privileged users escalate privileges. Siemens Solid Edge products are exposed to out-of-bounds read and write vulnerabilities, risking application crashes or code execution. Siemens HyperLynx and Industrial Edge App Publisher are vulnerable to type confusion, potentially leading to arbitrary code execution via crafted HTML pages. Hitachi Energy MACH GWS products have incorrect default permissions and improper validation issues, which could allow attackers to tamper with system files, cause denial of service, or perform man-in-the-middle attacks. The advisories provide technical details, affected product versions, and recommended mitigations, urging administrators to review and apply patches or workarounds. The vulnerabilities impact critical infrastructure sectors such as manufacturing, energy, water, and transportation, with products deployed worldwide. Many of the flaws are remotely exploitable with low attack complexity, increasing the urgency for remediation. CISA emphasizes the importance of timely action to prevent exploitation, as several vulnerabilities could lead to unauthorized access, data manipulation, or disruption of essential services. The advisories also reference the need to consult vendor-specific security updates for the most current information. Organizations are advised to assess their exposure, prioritize patching, and implement recommended security controls to mitigate these risks. The coordinated disclosure underscores the ongoing threat to ICS environments and the necessity for robust security practices across operational technology networks.
Mar 21, 2026