{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/siemens/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SIMATIC S7 PLCs Web Server"],"_cs_severities":["medium"],"_cs_tags":["xss","web-application","plc"],"_cs_type":"advisory","_cs_vendors":["Siemens"],"content_html":"\u003cp\u003eMultiple cross-site scripting (XSS) vulnerabilities have been identified in the web server component of Siemens SIMATIC S7 PLCs. An authenticated, remote attacker could exploit these vulnerabilities by injecting malicious scripts into the web application. Successful exploitation could lead to the execution of arbitrary code in the context of the victim\u0026rsquo;s browser, potentially allowing the attacker to steal sensitive information, modify web page content, or perform actions on behalf of the user. The vulnerabilities affect Siemens SIMATIC S7 PLCs Web Server. This issue highlights the importance of proper input validation and output encoding within web-based management interfaces for industrial control systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the SIMATIC S7 PLC\u0026rsquo;s web server using valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an input field vulnerable to XSS (e.g., a configuration parameter or log message field).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the payload into the vulnerable input field via a crafted HTTP request.\u003c/li\u003e\n\u003cli\u003eThe PLC\u0026rsquo;s web server stores the malicious payload.\u003c/li\u003e\n\u003cli\u003eA legitimate user accesses the web page containing the injected payload.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the malicious JavaScript code, potentially granting the attacker access to sensitive information or the ability to perform actions on behalf of the user.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the XSS vulnerability to further compromise the PLC or the network it resides on.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these XSS vulnerabilities could allow an attacker to steal user credentials, modify PLC configurations, or launch further attacks against the industrial control system network. The number of affected devices and the specific impact depends on the configuration and role of the affected SIMATIC S7 PLCs within the industrial environment. If successful, this could lead to disruption of critical infrastructure or industrial processes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect potential XSS attempts against the SIMATIC S7 PLCs Web Server.\u003c/li\u003e\n\u003cli\u003eImplement proper input validation and output encoding within the SIMATIC S7 PLCs Web Server application.\u003c/li\u003e\n\u003cli\u003eApply the latest security patches and updates provided by Siemens for SIMATIC S7 PLCs Web Server when available.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit the security configurations of SIMATIC S7 PLCs to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T11:44:35Z","date_published":"2026-05-12T11:44:35Z","id":"https://feed.craftedsignal.io/briefs/2026-05-simatic-xss/","summary":"A remote, authenticated attacker can exploit multiple vulnerabilities in Siemens SIMATIC S7 PLCs Web Server to perform cross-site scripting attacks, potentially leading to information disclosure or further unauthorized actions.","title":"Siemens SIMATIC S7 PLCs Web Server Vulnerabilities Allow Cross-Site Scripting","url":"https://feed.craftedsignal.io/briefs/2026-05-simatic-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SIPROTEC 5"],"_cs_severities":["medium"],"_cs_tags":["information-disclosure","ics","siemens"],"_cs_type":"advisory","_cs_vendors":["Siemens"],"content_html":"\u003cp\u003eA vulnerability exists within Siemens SIPROTEC 5 devices that allows for information disclosure. The specific nature of the vulnerability is not detailed in this brief, but it can be exploited by a remote, anonymous attacker. Siemens SIPROTEC 5 devices are used in a variety of industrial control systems (ICS) and critical infrastructure settings. Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive configuration data, device status information, or other proprietary information. This information could then be used for further malicious activities, such as launching targeted attacks or disrupting operations. Defenders should promptly investigate and mitigate this vulnerability to reduce the risk of exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Siemens SIPROTEC 5 device accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to exploit the information disclosure vulnerability.\u003c/li\u003e\n\u003cli\u003eThe device processes the request and inadvertently discloses sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the disclosed information, which may include configuration settings, device status, or other proprietary data.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the disclosed information to identify potential weaknesses or vulnerabilities in the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to plan further attacks, such as disrupting device operation or compromising the wider ICS network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could result in unauthorized access to sensitive information stored on Siemens SIPROTEC 5 devices. This could potentially affect critical infrastructure, leading to operational disruptions and/or financial losses. While the number of victims and specific sectors targeted are unknown, any organization using affected Siemens SIPROTEC 5 devices is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInvestigate network traffic to Siemens SIPROTEC 5 devices for anomalous activity (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eConsult Siemens\u0026rsquo; security advisories and apply any available patches or mitigations for SIPROTEC 5 devices.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to limit exposure of SIPROTEC 5 devices to untrusted networks.\u003c/li\u003e\n\u003cli\u003eMonitor device logs for any signs of unauthorized access or suspicious behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T11:35:41Z","date_published":"2026-05-12T11:35:41Z","id":"https://feed.craftedsignal.io/briefs/2026-05-siemens-siprotec-info-disclosure/","summary":"A remote, anonymous attacker can exploit a vulnerability in Siemens SIPROTEC 5 devices to disclose sensitive information.","title":"Siemens SIPROTEC 5 Information Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-siemens-siprotec-info-disclosure/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-44412"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Solid Edge SE2026 (\u003c V226.0 Update 5)"],"_cs_severities":["high"],"_cs_tags":["cve","stack overflow","code execution","siemens"],"_cs_type":"advisory","_cs_vendors":["Siemens"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability, tracked as CVE-2026-44412, has been identified in Siemens Solid Edge SE2026. The vulnerability exists in all versions prior to V226.0 Update 5. This flaw stems from improper handling of specially crafted PAR files, potentially enabling an attacker to execute arbitrary code within the context of the affected process. Successful exploitation could lead to complete system compromise, data theft, or other malicious activities. Siemens has released an update to address this vulnerability. This vulnerability poses a significant risk to organizations utilizing affected versions of Solid Edge SE2026 for CAD and engineering design.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PAR file specifically designed to trigger the stack-based buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious PAR file to a target user, potentially through social engineering, email attachment, or a compromised website.\u003c/li\u003e\n\u003cli\u003eThe user opens the malicious PAR file using a vulnerable version of Solid Edge SE2026.\u003c/li\u003e\n\u003cli\u003eSolid Edge SE2026 attempts to parse the PAR file.\u003c/li\u003e\n\u003cli\u003eDuring the parsing process, the specially crafted data overflows the designated buffer on the stack.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites critical data, including the return address, on the stack.\u003c/li\u003e\n\u003cli\u003eUpon function return, control is redirected to an attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the context of the Solid Edge SE2026 process, potentially gaining complete control over the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44412 allows an attacker to execute arbitrary code on the targeted system. This can lead to a variety of detrimental outcomes, including data theft, system compromise, and the installation of malware. Given the use of Solid Edge SE2026 in industrial design and engineering, successful attacks could disrupt critical infrastructure, compromise sensitive intellectual property, and cause significant financial losses. The number of potential victims is substantial, encompassing all organizations utilizing vulnerable versions of Solid Edge SE2026.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update Solid Edge SE2026 to V226.0 Update 5 or later to patch CVE-2026-44412.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Solid Edge Process Execution\u0026rdquo; to identify potential exploitation attempts based on unusual process behavior.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening files from untrusted sources to mitigate social engineering attacks.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unexpected process creations originating from Solid Edge SE2026, as this could indicate successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T10:21:33Z","date_published":"2026-05-12T10:21:33Z","id":"https://feed.craftedsignal.io/briefs/2026-05-solid-edge-overflow/","summary":"A stack-based overflow vulnerability in Solid Edge SE2026 (versions prior to V226.0 Update 5) allows for arbitrary code execution via specially crafted PAR files.","title":"Solid Edge SE2026 Stack-Based Overflow Vulnerability (CVE-2026-44412)","url":"https://feed.craftedsignal.io/briefs/2026-05-solid-edge-overflow/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-44411"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Solid Edge SE2026"],"_cs_severities":["high"],"_cs_tags":["cve","rce","solid edge","uninitialized pointer"],"_cs_type":"advisory","_cs_vendors":["Siemens"],"content_html":"\u003cp\u003eA vulnerability, identified as CVE-2026-44411, exists in Solid Edge SE2026, specifically in versions prior to V226.0 Update 5. This flaw stems from an uninitialized pointer access during the parsing of maliciously crafted PAR files. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code within the security context of the user running the affected Solid Edge application. This could allow for complete system compromise if the user has elevated privileges. This vulnerability poses a significant threat to organizations relying on Solid Edge for CAD design, potentially leading to data breaches, system instability, or unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PAR file specifically designed to trigger the uninitialized pointer access vulnerability in Solid Edge.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the crafted PAR file to a target user, potentially through social engineering or embedding it within a seemingly legitimate project.\u003c/li\u003e\n\u003cli\u003eThe user opens the malicious PAR file using a vulnerable version of Solid Edge SE2026.\u003c/li\u003e\n\u003cli\u003eSolid Edge attempts to parse the PAR file, triggering the uninitialized pointer access.\u003c/li\u003e\n\u003cli\u003eThe uninitialized pointer dereference leads to a controlled crash or allows the attacker to overwrite memory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to inject and execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the Solid Edge process, inheriting its privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the compromised system, potentially leading to data theft, further lateral movement, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44411 can lead to arbitrary code execution on the affected system. This could allow an attacker to gain complete control of the compromised machine, potentially leading to data theft, system instability, or further lateral movement within the network. The vulnerability affects Solid Edge SE2026 (All versions \u0026lt; V226.0 Update 5). Organizations relying on Solid Edge for CAD design are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Solid Edge SE2026 to version V226.0 Update 5 or later to patch CVE-2026-44411.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious File Opening in Solid Edge\u0026rdquo; to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening untrusted PAR files and encourage them to verify the source before opening any such files.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for Solid Edge processes spawning unusual child processes, using the provided Sigma rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T10:21:19Z","date_published":"2026-05-12T10:21:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-solid-edge-rce/","summary":"Solid Edge SE2026 is vulnerable to uninitialized pointer access while parsing specially crafted PAR files, potentially leading to arbitrary code execution in the context of the current process (CVE-2026-44411).","title":"Solid Edge SE2026 Uninitialized Pointer Access Vulnerability (CVE-2026-44411)","url":"https://feed.craftedsignal.io/briefs/2026-05-solid-edge-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-33862"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Teamcenter V2312","Teamcenter V2406","Teamcenter V2412","Teamcenter V2506","Teamcenter V2512"],"_cs_severities":["medium"],"_cs_tags":["cve","xss","siemens","teamcenter"],"_cs_type":"advisory","_cs_vendors":["Siemens"],"content_html":"\u003cp\u003eA cross-site scripting (XSS) vulnerability, identified as CVE-2026-33862, affects multiple versions of Siemens Teamcenter. Specifically, Teamcenter V2312 (all versions before V2312.0014), Teamcenter V2406 (all versions before V2406.0012), Teamcenter V2412 (all versions before V2412.0009), Teamcenter V2506 (all versions before V2506.0005), and Teamcenter V2512 are impacted. The vulnerability stems from the application\u0026rsquo;s failure to properly encode or filter user-supplied data. This flaw allows a remote attacker to inject malicious scripts into the application that can then be executed by other users when they interact with the affected page, potentially leading to data theft, session hijacking, or other malicious activities. The vulnerability was reported on 2026-05-12.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious payload containing JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the payload into a vulnerable Teamcenter input field, such as a comment, name, or description.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the form or triggers the action that saves the malicious input to the Teamcenter database.\u003c/li\u003e\n\u003cli\u003eA legitimate user accesses the page or resource where the injected payload is displayed.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s web browser executes the attacker-controlled JavaScript code within the context of the Teamcenter web application.\u003c/li\u003e\n\u003cli\u003eThe malicious script can then perform actions such as stealing the user\u0026rsquo;s session cookies, redirecting the user to a malicious website, or modifying the content of the page.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the stolen session cookie to impersonate the user and gain unauthorized access to Teamcenter.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability (CVE-2026-33862) could lead to the execution of arbitrary JavaScript code in the context of other Teamcenter users\u0026rsquo; browsers. This can result in session hijacking, theft of sensitive information, defacement of the application, or redirection to malicious websites. Given the potential for unauthorized access and data manipulation, this vulnerability poses a significant risk to organizations using affected versions of Siemens Teamcenter.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to the latest versions of Teamcenter: V2312.0014, V2406.0012, V2412.0009, V2506.0005, or V2512 to remediate CVE-2026-33862 (see references).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Teamcenter URI Activity\u003c/code\u003e to identify potential exploitation attempts by monitoring for specific patterns in HTTP requests.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding mechanisms within the Teamcenter application to prevent XSS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T10:20:50Z","date_published":"2026-05-12T10:20:50Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-33862/","summary":"Siemens Teamcenter versions V2312 (before V2312.0014), V2406 (before V2406.0012), V2412 (before V2412.0009), V2506 (before V2506.0005), and V2512 are vulnerable to cross-site scripting (XSS) due to improper encoding or filtering of user-supplied data, potentially leading to arbitrary code execution by other users.","title":"Siemens Teamcenter Vulnerability CVE-2026-33862 - Cross-Site Scripting","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-33862/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2025-40947"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RUGGEDCOM ROX MX5000","RUGGEDCOM ROX MX5000RE","RUGGEDCOM ROX RX1400","RUGGEDCOM ROX RX1500","RUGGEDCOM ROX RX1501","RUGGEDCOM ROX RX1510","RUGGEDCOM ROX RX1511","RUGGEDCOM ROX RX1512","RUGGEDCOM ROX RX1524","RUGGEDCOM ROX RX1536","RUGGEDCOM ROX RX5000"],"_cs_severities":["high"],"_cs_tags":["cve","rce","siemens","ruggedcom","ics"],"_cs_type":"threat","_cs_vendors":["Siemens"],"content_html":"\u003cp\u003eA remote code execution vulnerability, tracked as CVE-2025-40947, affects multiple RUGGEDCOM ROX devices. The affected devices include RUGGEDCOM ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000, specifically all versions prior to V2.17.1. The vulnerability stems from a failure to properly sanitize user-supplied input during the feature key installation process. An authenticated attacker can exploit this flaw to inject arbitrary commands, leading to remote code execution with root privileges on the underlying operating system. This vulnerability poses a significant risk to industrial control systems relying on these devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to the RUGGEDCOM ROX device\u0026rsquo;s management interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious feature key containing embedded operating system commands.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted feature key to the device through the management interface.\u003c/li\u003e\n\u003cli\u003eThe RUGGEDCOM ROX device attempts to install the feature key without proper input sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected commands within the feature key are executed with root privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the device\u0026rsquo;s underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then establish persistence by modifying system files.\u003c/li\u003e\n\u003cli\u003eThe attacker can pivot to other internal assets, disrupt operations, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-40947 allows an attacker to execute arbitrary code with root privileges on vulnerable RUGGEDCOM ROX devices. This could lead to complete system compromise, denial of service, disruption of critical infrastructure, and potential lateral movement to other systems within the network. The vulnerability targets industrial control systems, potentially impacting sectors such as energy, transportation, and manufacturing.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all affected RUGGEDCOM ROX devices (MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000) to version V2.17.1 or later to patch CVE-2025-40947.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity related to feature key uploads to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious Feature Key Uploads\u003c/code\u003e to identify such activity.\u003c/li\u003e\n\u003cli\u003eReview the logs for any unusual processes or commands executed on the RUGGEDCOM ROX devices that may indicate successful exploitation. Utilize the Sigma rule \u003ccode\u003eDetect Malicious Command Execution via Feature Key Injection\u003c/code\u003e for this purpose.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T10:19:32Z","date_published":"2026-05-12T10:19:32Z","id":"https://feed.craftedsignal.io/briefs/2026-05-siemens-rce/","summary":"CVE-2025-40947 describes a vulnerability in Siemens RUGGEDCOM ROX devices that allows authenticated remote attackers to inject arbitrary commands via a maliciously crafted feature key, resulting in remote code execution with root privileges.","title":"Siemens RUGGEDCOM ROX Devices Vulnerable to Remote Code Execution via Feature Key Injection (CVE-2025-40947)","url":"https://feed.craftedsignal.io/briefs/2026-05-siemens-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-22924"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SIMATIC CN 4100"],"_cs_severities":["medium"],"_cs_tags":["resource-exhaustion","dos","ics","cve-2026-22924"],"_cs_type":"advisory","_cs_vendors":["Siemens"],"content_html":"\u003cp\u003eA vulnerability, CVE-2026-22924, affects Siemens SIMATIC CN 4100 devices running versions prior to V5.0. This security flaw stems from the application\u0026rsquo;s failure to adequately restrict unauthenticated connections. As a result, an attacker can exploit this weakness to trigger resource exhaustion conditions. By overwhelming the system with unauthenticated requests, a malicious actor could disrupt normal operations, perform unauthorized actions, and compromise both the availability and integrity of the SIMATIC CN 4100 device. Successful exploitation could lead to significant operational downtime and potential data breaches. This vulnerability poses a substantial risk to industrial control systems (ICS) environments relying on SIMATIC CN 4100.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable SIMATIC CN 4100 device exposed on the network.\u003c/li\u003e\n\u003cli\u003eAttacker establishes an unauthenticated connection to the device.\u003c/li\u003e\n\u003cli\u003eAttacker sends a high volume of requests to a resource-intensive endpoint.\u003c/li\u003e\n\u003cli\u003eThe SIMATIC CN 4100 device attempts to process each request, consuming system resources.\u003c/li\u003e\n\u003cli\u003eThe device\u0026rsquo;s CPU and memory resources become depleted due to the overwhelming number of requests.\u003c/li\u003e\n\u003cli\u003eLegitimate requests from authorized users are delayed or dropped.\u003c/li\u003e\n\u003cli\u003eThe SIMATIC CN 4100 device becomes unresponsive or crashes, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eIndustrial processes relying on the SIMATIC CN 4100 device are disrupted or halted.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22924 can result in a denial-of-service condition on the SIMATIC CN 4100 device, disrupting critical industrial processes. This may lead to operational downtime, financial losses, and potential safety hazards. The vulnerability affects all versions of SIMATIC CN 4100 prior to V5.0, potentially impacting a wide range of industrial sectors that rely on these devices for network communication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SIMATIC CN 4100 devices to version V5.0 or later to remediate CVE-2026-22924.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access control measures to limit exposure of SIMATIC CN 4100 devices to untrusted networks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SIMATIC CN 4100 Unauthenticated Connection Attempts\u0026rdquo; to identify suspicious unauthenticated connection patterns to the device.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic to SIMATIC CN 4100 devices for unusually high connection rates and resource consumption.\u003c/li\u003e\n\u003cli\u003eApply the mitigations recommended by Siemens in their security advisory SSA-032379.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T10:18:09Z","date_published":"2026-05-12T10:18:09Z","id":"https://feed.craftedsignal.io/briefs/2026-05-simatic-resource-exhaustion/","summary":"Siemens SIMATIC CN 4100 versions before V5.0 are vulnerable to resource exhaustion due to improper restriction of unauthenticated connections, potentially leading to disruption of operations and unauthorized actions.","title":"Siemens SIMATIC CN 4100 Unauthenticated Resource Exhaustion (CVE-2026-22924)","url":"https://feed.craftedsignal.io/briefs/2026-05-simatic-resource-exhaustion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2025-40949"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RUGGEDCOM ROX MX5000","RUGGEDCOM ROX MX5000RE","RUGGEDCOM ROX RX1400","RUGGEDCOM ROX RX1500","RUGGEDCOM ROX RX1501","RUGGEDCOM ROX RX1510","RUGGEDCOM ROX RX1511","RUGGEDCOM ROX RX1512","RUGGEDCOM ROX RX1524","RUGGEDCOM ROX RX1536","RUGGEDCOM ROX RX5000"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","ruggedcom"],"_cs_type":"advisory","_cs_vendors":["Siemens"],"content_html":"\u003cp\u003eA critical command injection vulnerability, identified as CVE-2025-40949, affects multiple RUGGEDCOM ROX devices. Specifically, the vulnerability resides in the Scheduler functionality of the Web UI. Versions prior to V2.17.1 of the RUGGEDCOM ROX MX5000, MX5000RE, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, RX1536, and RX5000 are affected. The root cause of this vulnerability is the insufficient sanitization of user-supplied input, which allows an authenticated attacker to inject arbitrary commands into the task scheduling backend. Successful exploitation allows a remote attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device. This poses a significant risk to industrial control systems (ICS) environments where these devices are commonly deployed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to the RUGGEDCOM ROX Web UI.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Scheduler functionality within the Web UI.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious commands into a user-supplied input field (e.g., task name, command to execute, schedule).\u003c/li\u003e\n\u003cli\u003eThe injected commands are not properly sanitized by the application.\u003c/li\u003e\n\u003cli\u003eWhen the scheduler processes the task, the injected commands are executed by the underlying operating system with root privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution, potentially allowing them to install malware, modify configurations, or disrupt operations.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial access to pivot to other network resources or maintain persistence on the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-40949 allows an authenticated remote attacker to execute arbitrary commands with root privileges on the RUGGEDCOM ROX device. This could lead to complete system compromise, allowing the attacker to disrupt critical infrastructure operations, steal sensitive data, or use the compromised device as a pivot point to attack other systems within the network. Given the widespread use of RUGGEDCOM devices in industrial control systems, the potential impact is significant and could affect various sectors, including energy, transportation, and manufacturing.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all affected RUGGEDCOM ROX devices to version V2.17.1 or later to patch CVE-2025-40949.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the Scheduler functionality of the Web UI (reference: webserver log source).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rules provided below to detect potential exploitation attempts targeting CVE-2025-40949.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T10:17:37Z","date_published":"2026-05-12T10:17:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-40949-ruggedcom-rce/","summary":"An authenticated remote command injection vulnerability exists in the web UI scheduler functionality of multiple RUGGEDCOM ROX devices before V2.17.1, allowing arbitrary command execution with root privileges.","title":"CVE-2025-40949 - Siemens RUGGEDCOM ROX Web UI Command Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2025-40949-ruggedcom-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Siemens","version":"https://jsonfeed.org/version/1.1"}