Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Firmware update requires local, privileged access (AV:L/PR:H) with no user interaction, and yields full device takeover, so C/I/A are all High.
Primary rating from Vendor (siemens).
CVSS VectorVendor: siemens
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application contains a vulnerability in its firmware update mechanism's signature validation process. This could allow an attacker to install malicious firmware, leading to persistent code execution and system compromise.
AnalysisAI
Malicious firmware installation is possible on Siemens CPCI85 Central Processing/Communication firmware (versions before V26.20) and the SICORE Base System (before V26.20.0) because the firmware update mechanism fails to properly validate signatures. An attacker with high privileges and local access can push crafted, tampered firmware to achieve persistent code execution and full device compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to invoke the device's firmware update mechanism with high privileges over a local vector (CVSS AV:L/PR:H) - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:H/UI:N, VC:H/VI:H/VA:H, base 8.4) frames this as a high-impact but high-barrier issue: exploitation requires local access and already-high privileges, so it is not a remotely reachable or wormable flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained privileged local/engineering access to a substation device (for example a malicious insider or an adversary who already compromised an engineering workstation) crafts modified firmware and submits it through the update mechanism, which fails to reject the tampered image due to the signature-validation flaw. The device accepts and boots the malicious firmware, giving the attacker persistent code execution that survives reboots. … |
| Remediation | Vendor-released patch: update CPCI85 Central Processing/Communication to V26.20 or later and the SICORE Base System to V26.20.0 or later, per Siemens advisory SSA-229470 (https://cert-portal.siemens.com/productcert/html/ssa-229470.html). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all CPCI85 and SICORE Base System devices in use and document current firmware versions by conducting asset inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Out-of-bounds write vulnerabilities in Siemens CPCI85 Central Processing/Communication and SICORE Base system (versions
Remote denial-of-service in Siemens CPCI85 Central Processing/Communication and RTUM85 RTU Base (versions below V26.10)
Privilege escalation in Siemens CPCI85 Central Processing/Communication and SICORE Base System (all versions before V26.
Denial of service in Siemens CPCI85 Central Processing/Communication firmware and SICORE Base System (all versions befor
Insecure default OPC UA configuration in Siemens CPCI85 Central Processing/Communication and SICORE Base System exposes
Same weakness CWE-489 – Active Debug Code
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42594
GHSA-j26p-j946-5hv2