Siemens SENTRON 7KT PAC1261 Data Manager Request Smuggling Vulnerability

A request smuggling vulnerability has been identified in the Siemens SENTRON 7KT PAC1261 Data Manager, specifically affecting versions prior to V2.1.0. The vulnerability, rooted in the Go Project’s net/http package, stems from the improper handling of line terminators within chunked HTTP data. An attacker can exploit this flaw by sending a crafted HTTP request containing a bare line feed (LF) character where the server expects a carriage return line feed (CRLF). This inconsistency can lead to the server misinterpreting the boundaries of HTTP requests, potentially allowing the attacker to smuggle malicious requests to the backend server. Successful exploitation could allow an attacker to retrieve authorization tokens and gain administrative control over the affected device, impacting energy sector deployments worldwide.

Attack Chain

1. The attacker sends a specially crafted HTTP request to the SENTRON 7KT PAC1261 Data Manager with a bare LF character in a chunked data chunk-size line, instead of the expected CRLF.
2. The vulnerable net/http package improperly parses the request, misinterpreting the boundaries between HTTP requests.
3. The front-end server forwards the misinterpreted request to the backend server.
4. The backend server interprets the smuggled portion of the request as a separate, legitimate request.
5. The smuggled request targets an endpoint that returns authorization tokens or other sensitive data.
6. The attacker captures the authorization tokens from the backend server’s response.
7. The attacker uses the stolen authorization tokens to authenticate to the SENTRON 7KT PAC1261 Data Manager as an administrator.
8. The attacker gains administrative control over the device, potentially manipulating configurations, accessing sensitive information, or disrupting operations.

Impact

Successful exploitation of CVE-2025-22871 can lead to unauthorized access and control over the Siemens SENTRON 7KT PAC1261 Data Manager. The vulnerability, with a CVSS v3 score of 9.1 (Critical), can allow remote unauthenticated attackers to retrieve authorization tokens and gain administrative access. Given the deployment of these devices within the energy sector worldwide, a successful attack could result in significant disruption of critical infrastructure operations, data breaches, and potential financial losses.

Recommendation

• Immediately update all instances of Siemens SENTRON 7KT PAC1261 Data Manager to version V2.1.0 or later to patch CVE-2025-22871.
• As a general security measure, protect network access to devices with appropriate mechanisms as recommended by Siemens.
• Deploy the Sigma rule “Detect CVE-2025-22871 Exploitation — Siemens SENTRON Request Smuggling” to your web server logs to identify potential exploitation attempts.
• Minimize network exposure for all control system devices and ensure they are not accessible from the internet, as recommended by CISA.