Attack Chain

1. An attacker crafts a malicious XML file with deeply nested elements.
2. The attacker delivers the crafted XML file to a system running a vulnerable version of ImageMagick (e.g., via upload, network share, or email attachment).
3. A user or automated process triggers ImageMagick to process the malicious XML file using command-line tools such as convert or through a web application using an ImageMagick library.
4. ImageMagick begins parsing the XML file and calls the DestroyXMLTree() function to free memory.
5. The DestroyXMLTree() function recursively traverses the XML tree without a depth limit.
6. Due to the deeply nested structure, the recursive calls consume excessive stack memory.
7. Stack memory is exhausted, leading to a stack overflow.
8. The ImageMagick process crashes, resulting in a denial-of-service condition.

Impact

Successful exploitation of CVE-2026-33908 leads to a denial-of-service condition on the affected system. Services relying on ImageMagick for image processing become unavailable, potentially disrupting critical workflows. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high potential impact on system availability. The number of affected systems depends on the prevalence of vulnerable ImageMagick versions within an organization’s infrastructure.

Recommendation

• Upgrade ImageMagick to version 7.1.2-19 or 6.9.13-44 or later to remediate CVE-2026-33908.
• Implement file size limits and input validation for XML files processed by ImageMagick to mitigate the risk of malicious file uploads.
• Deploy the Sigma rule ImageMagick_XML_Crash to detect potential exploitation attempts by monitoring for ImageMagick process crashes.
• Monitor web server logs for unusual patterns of requests with large XML file uploads to identify potential attackers.
• Enable process crash reporting on systems running ImageMagick to facilitate incident response and investigation.

Attack Chain

1. The attacker identifies a vulnerable CPCI85 or SICORE Base system instance exposed to network traffic.
2. The attacker crafts a malicious XML payload designed to trigger the out-of-bounds write vulnerability.
3. The attacker sends the malicious XML payload to the targeted system via a network request.
4. The CPCI85 or SICORE Base system receives the XML payload and attempts to parse it.
5. During XML parsing, the vulnerability is triggered due to the specially crafted XML structure, leading to an out-of-bounds write operation.
6. The out-of-bounds write corrupts memory within the application process.
7. The memory corruption causes the service to crash.
8. The crash results in a denial-of-service condition, rendering the affected system unavailable.

Impact

Successful exploitation of CVE-2026-27664 leads to a denial-of-service condition on the affected CPCI85 Central Processing/Communication and SICORE Base systems. The number of potential victims depends on the deployment scope of these systems; however, any system using versions prior to V26.10 and V26.10.0, respectively, is vulnerable. This DoS can disrupt critical operations relying on these systems, potentially impacting industrial control processes or other essential services.

Recommendation

• Apply the security patch provided by Siemens to update CPCI85 Central Processing/Communication to version V26.10 or later, and SICORE Base system to version V26.10.0 or later to remediate CVE-2026-27664 (https://cert-portal.siemens.com/productcert/html/ssa-246443.html).
• Implement network segmentation and access control policies to limit exposure of CPCI85 and SICORE Base systems to untrusted networks.
• Monitor web server logs for abnormal XML request patterns targeting the affected systems using a custom rule inspecting cs-uri-query for anomalous XML structures.

Attack Chain

1. An application receives untrusted data intended for use in XML comment content.
2. The application calls createComment(data) in xmldom, passing the untrusted data. The library stores the data without proper validation.
3. The application constructs an XML document, including the comment node created in the previous step.
4. The application calls serializeToString() on the XML document to serialize it.
5. If the untrusted data contains comment-breaking sequences, such as -->, the serializer prematurely terminates the comment.
6. The serializer injects any subsequent content in the untrusted data as live XML markup.
7. The application stores, forwards, signs, or hands the serialized XML to another parser.
8. The downstream consumer trusts the altered XML structure, leading to unintended consequences, such as misconfiguration or security bypass.

Impact

Successful exploitation allows attackers to inject arbitrary XML nodes, potentially altering the structure and meaning of generated XML documents. This could lead to misconfiguration, policy bypass, or other security vulnerabilities in applications that rely on the integrity of the XML structure. The vulnerability affects applications that use xmldom to build XML from untrusted input. The number of victims depends on the usage of the vulnerable library and the exposure of applications to untrusted XML data.

Recommendation

• Upgrade to @xmldom/xmldom version 0.8.13 or 0.9.10 or later to gain access to the fix.
• Audit all calls to serializeToString() and add the { requireWellFormed: true } option when serializing comments containing potentially untrusted data.
• Implement server-side input validation to sanitize comment data by removing comment-breaking sequences like --> before passing it to createComment().
• Deploy the Sigma rule to detect comment injections.

Attack Chain

1. An attacker crafts a malicious SpreadsheetML XML file (e.g., poc.xml).
2. The crafted XML file contains a <Row> element with an ss:Index attribute set to a very large integer (e.g., ss:Index="999999999").
3. A PHP application using PhpSpreadsheet loads the malicious XML file using IOFactory::createReader('Xml')->load('poc.xml').
4. The loadSpreadsheetFromFile method in src/PhpSpreadsheet/Reader/Xml.php processes the <Row> element, reads the ss:Index value, and casts it to an integer without validation.
5. The getRowDimension() method in src/PhpSpreadsheet/Worksheet.php is called with the attacker-controlled $rowID, inflating the cachedHighestRow property.
6. A subsequent call to $sheet->getRowIterator() attempts to iterate from the beginning to the inflated cachedHighestRow, triggering excessive CPU consumption.
7. The server’s CPU resources are exhausted, leading to a denial-of-service condition.

Impact

The vulnerability allows attackers to cause a denial-of-service condition on servers running PHP applications that utilize PhpSpreadsheet to process SpreadsheetML XML files. The impact includes:

• CPU exhaustion with a small malicious file (~300 bytes).
• Blocking PHP worker processes, affecting concurrent users.
• Triggering PHP max_execution_time limits while still consuming resources.
• Applications are vulnerable without authentication if they allow the processing of uploaded SpreadsheetML files.

Recommendation

• Implement validation for the ss:Index attribute in src/PhpSpreadsheet/Reader/Xml.php to ensure it does not exceed AddressRange::MAX_ROW. Apply this validation to both <Row> and <Cell> elements. Use the fix from the advisory (https://github.com/advisories/GHSA-84wq-86v6-x5j6) as a reference.
• Deploy the Sigma rule DetectSuspiciousPhpSpreadsheetXML to detect the use of extremely large row indexes in SpreadsheetML files.
• Monitor web server logs for requests uploading XML files and triggering high CPU usage, correlating with the execution of PhpSpreadsheet.