{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2025-22871/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2025-22871"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SENTRON 7KT PAC1261 Data Manager"],"_cs_severities":["critical"],"_cs_tags":["request-smuggling","cve-2025-22871","siemens","ot"],"_cs_type":"advisory","_cs_vendors":["Siemens"],"content_html":"\u003cp\u003eA request smuggling vulnerability has been identified in the Siemens SENTRON 7KT PAC1261 Data Manager, specifically affecting versions prior to V2.1.0. The vulnerability, rooted in the Go Project\u0026rsquo;s net/http package, stems from the improper handling of line terminators within chunked HTTP data. An attacker can exploit this flaw by sending a crafted HTTP request containing a bare line feed (LF) character where the server expects a carriage return line feed (CRLF). This inconsistency can lead to the server misinterpreting the boundaries of HTTP requests, potentially allowing the attacker to smuggle malicious requests to the backend server. Successful exploitation could allow an attacker to retrieve authorization tokens and gain administrative control over the affected device, impacting energy sector deployments worldwide.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a specially crafted HTTP request to the SENTRON 7KT PAC1261 Data Manager with a bare LF character in a chunked data chunk-size line, instead of the expected CRLF.\u003c/li\u003e\n\u003cli\u003eThe vulnerable net/http package improperly parses the request, misinterpreting the boundaries between HTTP requests.\u003c/li\u003e\n\u003cli\u003eThe front-end server forwards the misinterpreted request to the backend server.\u003c/li\u003e\n\u003cli\u003eThe backend server interprets the smuggled portion of the request as a separate, legitimate request.\u003c/li\u003e\n\u003cli\u003eThe smuggled request targets an endpoint that returns authorization tokens or other sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the authorization tokens from the backend server\u0026rsquo;s response.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen authorization tokens to authenticate to the SENTRON 7KT PAC1261 Data Manager as an administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker gains administrative control over the device, potentially manipulating configurations, accessing sensitive information, or disrupting operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-22871 can lead to unauthorized access and control over the Siemens SENTRON 7KT PAC1261 Data Manager. The vulnerability, with a CVSS v3 score of 9.1 (Critical), can allow remote unauthenticated attackers to retrieve authorization tokens and gain administrative access. Given the deployment of these devices within the energy sector worldwide, a successful attack could result in significant disruption of critical infrastructure operations, data breaches, and potential financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update all instances of Siemens SENTRON 7KT PAC1261 Data Manager to version V2.1.0 or later to patch CVE-2025-22871.\u003c/li\u003e\n\u003cli\u003eAs a general security measure, protect network access to devices with appropriate mechanisms as recommended by Siemens.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2025-22871 Exploitation — Siemens SENTRON Request Smuggling\u0026rdquo; to your web server logs to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMinimize network exposure for all control system devices and ensure they are not accessible from the internet, as recommended by CISA.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T15:02:22Z","date_published":"2026-05-14T15:02:22Z","id":"https://feed.craftedsignal.io/briefs/2026-05-siemens-sentron-request-smuggling/","summary":"A request smuggling vulnerability exists in Siemens SENTRON 7KT PAC1261 Data Manager before V2.1.0, due to the web server improperly accepting a bare LF as a line terminator in chunked data chunk-size lines, potentially allowing an attacker to retrieve authorization tokens and gain administrative control over the device.","title":"Siemens SENTRON 7KT PAC1261 Data Manager Request Smuggling Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-siemens-sentron-request-smuggling/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2025-22871","version":"https://jsonfeed.org/version/1.1"}