Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.10), SICORE Base system (All versions < V26.10.0). The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated attacker to exploit this issue by sending a malicious XML request, which may cause the service to crash, resulting in a denial-of-service condition.
AnalysisAI
Out-of-bounds write vulnerabilities in Siemens CPCI85 Central Processing/Communication and SICORE Base system (versions below V26.10) allow unauthenticated remote attackers to crash critical industrial control system services through maliciously crafted XML requests, resulting in denial-of-service conditions. CISA's SSVC framework marks this as automatable with partial technical impact, though no public exploit has been identified at time of analysis. The CVSS 4.0 score of 8.7 reflects high availability impact (VA:H) with network accessibility requiring no authentication (PR:N).
Technical ContextAI
The vulnerability affects two Siemens industrial automation products identified via CPE strings: cpe:2.3:a:siemens:cpci85_central_processing/communication and cpe:2.3:a:siemens:sicore_base_system. Both products implement XML parsing functionality that fails to properly validate array bounds during input processing, manifesting as CWE-787 (Out-of-bounds Write), also classified under Memory Corruption and Buffer Overflow tags. When the XML parser processes specially crafted input, it writes data beyond allocated memory boundaries, corrupting the process memory space and triggering service termination. This class of vulnerability is particularly critical in industrial control systems where CPCI85 serves as central processing/communication infrastructure and SICORE provides foundational system capabilities.
RemediationAI
Upgrade CPCI85 Central Processing/Communication to version V26.10 or later and SICORE Base system to version V26.10.0 or later as specified in Siemens ProductCERT advisory SSA-246443 at https://cert-portal.siemens.com/productcert/html/ssa-246443.html. Until patching is feasible, implement network segmentation to restrict XML input sources to trusted administrative networks only, deploy application-layer firewalls with XML validation rules to filter malformed requests, and enable monitoring for service crashes that may indicate exploitation attempts. Given the unauthenticated network attack vector, prioritize firewall rules that limit access to these services from untrusted networks.
Remote denial-of-service in Siemens CPCI85 Central Processing/Communication and RTUM85 RTU Base (versions below V26.10)
Privilege escalation in Siemens CPCI85 Central Processing/Communication and SICORE Base System (all versions before V26.
Malicious firmware installation is possible on Siemens CPCI85 Central Processing/Communication firmware (versions before
Denial of service in Siemens CPCI85 Central Processing/Communication firmware and SICORE Base System (all versions befor
Insecure default OPC UA configuration in Siemens CPCI85 Central Processing/Communication and SICORE Base System exposes
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16181
GHSA-4m3q-v5m4-mc2x