Siemens SICAM 8 Flaws Expose OT Devices to Denial-of-Service
Siemens disclosed multiple vulnerabilities in SICAM 8 industrial control system products affecting CPCI85 Central Processing/Communication, RTUM85 RTU Base, and the SICORE Base system, with vulnerable versions identified as releases prior to V26.10 or V26.10.0 depending on the product. The issues are tracked as CVE-2026-27663 and CVE-2026-27664, and can allow denial-of-service conditions in operational technology environments. Siemens published advisory SSA-246443, while the Canadian Centre for Cyber Security and CISA both urged asset owners to review the vendor guidance and apply the recommended updates.
According to CISA, CVE-2026-27663 is a resource exhaustion flaw in remote operation mode that can block parameterization and may require a reset or reboot, while CVE-2026-27664 is an out-of-bounds write triggered by specially crafted XML input that can crash the affected service. Siemens has released fixed versions and advised organizations to validate patches before deployment and harden network access with segmentation, firewalls, and VPNs; CISA further recommended minimizing internet exposure of control systems and isolating OT networks from business networks to reduce the risk of disruption.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CISA republishes Siemens SICAM 8 advisory
On 2026-04-02, CISA republished the Siemens advisory to increase visibility, detailing the two denial-of-service vulnerabilities and their impact on SICAM 8 components. CISA also recommended minimizing internet exposure, isolating OT networks, and using segmentation, firewalls, and VPNs.
Canadian Centre for Cyber Security issues notice on Siemens advisory
On 2026-03-27, the Canadian Centre for Cyber Security published alert AV26-290 highlighting Siemens' advisory and the affected industrial control system products. It urged administrators to review Siemens' guidance, follow mitigations, and apply the necessary updates.
Siemens publishes advisory for SICAM 8 vulnerabilities
On 2026-03-26, Siemens published advisory SSA-246443 covering multiple vulnerabilities in SICAM 8 products affecting CPCI85 Central Processing/Communication, RTUM85 RTU Base, and SICORE Base system. The advisory identified denial-of-service issues tracked as CVE-2026-27663 and CVE-2026-27664 and provided updated versions and mitigation guidance.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Siemens Issues Security Updates for Multiple Industrial and Engineering Products
**Siemens published security advisories for multiple products**, prompting both CISA ICS advisories and a Canadian Centre for Cyber Security alert covering a broad set of affected industrial/engineering software and OT-adjacent components. Reported issues include a **stored XSS** in *Siemens Polarion* (CVE-2025-40587; CVSS 7.6) where authenticated users can inject JavaScript via crafted document titles, and **local privilege escalation** paths in *Siemens SINEC NMS* and its *User Management Component (UMC)* (CVE-2026-25655, CVE-2026-25656; CVSS 7.8) that allow low-privileged users to modify configuration/search paths to load malicious DLLs and potentially gain elevated execution (including SYSTEM-level impact). Siemens also addressed a **missing authorization** condition affecting *Siveillance Video Management Servers* Webhooks/MIP Webhooks API (CVSS 6.3), enabling a read-only user to obtain full API access. Additional advisories cover file-parsing and third-party component risks that can lead to crashes or potential code execution. *Siemens NX* is affected by multiple **CGM file parsing** flaws (CVE-2026-22923/22924/22925; CVSS 7.8) that can be triggered when a user opens a malicious file, and *Siemens Solid Edge* includes an **out-of-bounds read** in the PS/IGES Parasolid translator when processing crafted IGS files (CVSS 7.8). *Desigo CC* and *SENTRON Powermanager* are impacted via the third-party *WIBU Systems CodeMeter Runtime* chain tied to **CVE-2023-38545** (curl SOCKS5 heap overflow; CVSS 8.8), with Siemens providing component update instructions. *Siemens SINEC OS* before V3.3 aggregates a large set of third-party CVEs across supported platforms, and *Siemens COMOS* advisories include multiple issues (up to CVSS 10) spanning potential code execution, DoS, data exposure, and access control violations; Siemens recommends updating where fixes are available and applying countermeasures where they are not yet released.
May 14, 2026
Multiple Critical Vulnerabilities Disclosed in Industrial Control Systems by CISA
CISA released thirteen advisories detailing critical vulnerabilities affecting a range of industrial control system (ICS) products from major vendors including Rockwell Automation, Siemens, Hitachi Energy, Schneider Electric, and Delta Electronics. The advisories highlight severe security flaws such as missing authentication for critical functions, improper authorization, buffer overflows, SQL injection, and improper certificate validation. For Siemens TeleControl Server Basic, a vulnerability (CVE-2025-40765) allows unauthenticated remote attackers to obtain password hashes and perform authenticated operations on the database service, with a CVSS v3.1 score of 9.8, indicating critical risk. Rockwell Automation's FactoryTalk View Machine Edition and PanelView Plus 7 are susceptible to path traversal and improper authorization, potentially granting attackers unauthorized access to device file systems and sensitive diagnostic information. FactoryTalk ViewPoint is vulnerable to XML external entity injection, which could result in denial-of-service conditions. Siemens SiPass Integrated faces multiple issues, including buffer overflows and cross-site scripting, which could enable arbitrary code execution and unauthorized access. The Siemens SIMATIC ET 200SP Communication Processors have a missing authentication flaw that could allow attackers to access configuration data remotely. Siemens SINEC NMS is affected by a SQL injection vulnerability that could let low-privileged users escalate privileges. Siemens Solid Edge products are exposed to out-of-bounds read and write vulnerabilities, risking application crashes or code execution. Siemens HyperLynx and Industrial Edge App Publisher are vulnerable to type confusion, potentially leading to arbitrary code execution via crafted HTML pages. Hitachi Energy MACH GWS products have incorrect default permissions and improper validation issues, which could allow attackers to tamper with system files, cause denial of service, or perform man-in-the-middle attacks. The advisories provide technical details, affected product versions, and recommended mitigations, urging administrators to review and apply patches or workarounds. The vulnerabilities impact critical infrastructure sectors such as manufacturing, energy, water, and transportation, with products deployed worldwide. Many of the flaws are remotely exploitable with low attack complexity, increasing the urgency for remediation. CISA emphasizes the importance of timely action to prevent exploitation, as several vulnerabilities could lead to unauthorized access, data manipulation, or disruption of essential services. The advisories also reference the need to consult vendor-specific security updates for the most current information. Organizations are advised to assess their exposure, prioritize patching, and implement recommended security controls to mitigate these risks. The coordinated disclosure underscores the ongoing threat to ICS environments and the necessity for robust security practices across operational technology networks.
Mar 21, 2026
Siemens SIMATIC and SICAM Products Vulnerable to Trace-File Code Injection and Other Flaws
CISA published an ICS advisory warning that multiple **Siemens SIMATIC** controllers do not properly sanitize the contents of imported trace files, enabling **code injection** if an attacker can socially engineer a legitimate user into importing a specially crafted trace file. The affected product set includes a broad range of *SIMATIC* devices, including **SIMATIC Drive Controller CPU 1504D/1507D TF**, multiple **SIMATIC ET 200SP** CPU variants (including fail-safe models), and **SIMATIC S7-1500** CPUs, among others. CERT-FR also issued an advisory covering **multiple vulnerabilities in Siemens products**, listing impacts that include **remote code execution**, **denial of service**, and **indirect code injection (XSS)**, and enumerating overlapping affected systems such as the same *SIMATIC Drive Controller* and *SIMATIC ET 200SP* families. CERT-FR explicitly references **CVE-2025-40943** for several of these SIMATIC devices and additionally notes other Siemens components (e.g., **SICAM SIAPP SDK** versions prior to `2.1.7`), indicating the Siemens security updates/mitigations span more than one product line and vulnerability class beyond the trace-file injection issue highlighted by CISA.
Mar 21, 2026