Skip to main content

SIMATIC CN 4100 EUVDEUVD-2026-29423

| CVE-2026-22924 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-05-12 siemens GHSA-9p8h-826j-wp3r
8.8
CVSS 4.0 · Vendor: siemens
Share

Severity by source

Vendor (siemens) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (siemens) · only source for this CVE.

CVSS VectorVendor: siemens

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 12, 2026 - 10:36 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 12, 2026 - 10:22 vuln.today
cvss_changed
Severity Changed
May 12, 2026 - 10:22 NVD
CRITICAL HIGH
CVSS changed
May 12, 2026 - 10:22 NVD
9.1 (CRITICAL) 8.8 (HIGH)
Analysis Generated
May 12, 2026 - 10:01 vuln.today
CVE Published
May 12, 2026 - 08:20 nvd
CRITICAL 9.1

DescriptionCVE.org

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0). The affected application does not properly restrict unauthenticated connections and is susceptible to resource exhaustion conditions. This could allow an attacker to disrupt normal operations or perform unauthorized actions, potentially impacting system availability and integrity.

AnalysisAI

Remote unauthenticated attackers can exhaust resources and bypass authentication controls in Siemens SIMATIC CN 4100 versions before V5.0, enabling denial of service conditions and unauthorized actions that compromise system availability and integrity. The vulnerability stems from improper connection validation (CWE-306), allowing network-based exploitation without any user interaction or privileges. Siemens has released V5.0 to address this flaw, documented in security advisory SSA-032379.

Technical ContextAI

SIMATIC CN 4100 is an industrial communication node used in Siemens automation environments for network connectivity and data exchange in operational technology (OT) networks. The vulnerability is rooted in CWE-306 (Missing Authentication for Critical Function), indicating the device fails to properly authenticate or validate incoming network connections before allocating resources or granting access to functionality. This class of flaw is common in embedded industrial devices where default configurations may prioritize availability over security controls. The CVSS 4.0 vector shows network-accessible attack surface (AV:N), no complexity barriers (AC:L), and no authentication gates (PR:N), combined with high integrity and availability impact (VI:H/VA:H), reflecting both the ease of exploitation and severity of consequences in industrial control system contexts.

RemediationAI

Update SIMATIC CN 4100 to version V5.0 or later as specified in Siemens security advisory SSA-032379 (https://cert-portal.siemens.com/productcert/html/ssa-032379.html). Until patching is complete, implement network segmentation to restrict access to SIMATIC CN 4100 devices exclusively from trusted management networks-block all unauthenticated external access using industrial firewalls or VLANs, noting this may complicate distributed monitoring scenarios. Deploy connection rate limiting at the network perimeter to mitigate resource exhaustion vectors, though this does not address the authentication bypass component. For critical production systems where immediate patching risks operational disruption, schedule maintenance windows and test V5.0 in staging environments first, as firmware updates on industrial control devices can require extended downtime and revalidation of connected systems.

Share

EUVD-2026-29423 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy