Skip to main content

Cpci85 Central Processing Communication EUVDEUVD-2026-16181

| CVE-2026-27664 HIGH
Out-of-bounds Write (CWE-787)
2026-03-26 siemens GHSA-4m3q-v5m4-mc2x
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 14:30 euvd
EUVD-2026-16181
Analysis Generated
Mar 26, 2026 - 14:30 vuln.today
CVE Published
Mar 26, 2026 - 14:03 nvd
HIGH 8.7

DescriptionCVE.org

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.10), SICORE Base system (All versions < V26.10.0). The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated attacker to exploit this issue by sending a malicious XML request, which may cause the service to crash, resulting in a denial-of-service condition.

AnalysisAI

Out-of-bounds write vulnerabilities in Siemens CPCI85 Central Processing/Communication and SICORE Base system (versions below V26.10) allow unauthenticated remote attackers to crash critical industrial control system services through maliciously crafted XML requests, resulting in denial-of-service conditions. CISA's SSVC framework marks this as automatable with partial technical impact, though no public exploit has been identified at time of analysis. The CVSS 4.0 score of 8.7 reflects high availability impact (VA:H) with network accessibility requiring no authentication (PR:N).

Technical ContextAI

The vulnerability affects two Siemens industrial automation products identified via CPE strings: cpe:2.3:a:siemens:cpci85_central_processing/communication and cpe:2.3:a:siemens:sicore_base_system. Both products implement XML parsing functionality that fails to properly validate array bounds during input processing, manifesting as CWE-787 (Out-of-bounds Write), also classified under Memory Corruption and Buffer Overflow tags. When the XML parser processes specially crafted input, it writes data beyond allocated memory boundaries, corrupting the process memory space and triggering service termination. This class of vulnerability is particularly critical in industrial control systems where CPCI85 serves as central processing/communication infrastructure and SICORE provides foundational system capabilities.

RemediationAI

Upgrade CPCI85 Central Processing/Communication to version V26.10 or later and SICORE Base system to version V26.10.0 or later as specified in Siemens ProductCERT advisory SSA-246443 at https://cert-portal.siemens.com/productcert/html/ssa-246443.html. Until patching is feasible, implement network segmentation to restrict XML input sources to trusted administrative networks only, deploy application-layer firewalls with XML validation rules to filter malformed requests, and enable monitoring for service crashes that may indicate exploitation attempts. Given the unauthenticated network attack vector, prioritize firewall rules that limit access to these services from untrusted networks.

Share

EUVD-2026-16181 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy