CVE-2026-33893 Cert Portal CVE debrief

Who should care

Siemens Teamcenter administrators, product security teams, and defenders responsible for environments that run the affected Teamcenter releases.

Technical summary

CISA's advisory states that the application contains a hardcoded key used for obfuscation and stored directly in the application. The supplied CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which indicates a network-reachable issue requiring no privileges or user interaction, with primary impact to confidentiality. The advisory lists fixed releases for Teamcenter V2312, V2406, V2412, and V2506.

Defensive priority

High

Recommended defensive actions

• Upgrade affected Siemens Teamcenter deployments to the fixed release listed for your branch: V2312.0014 or later, V2406.0012 or later, V2412.0009 or later, or V2506.0005 or later.
• Inventory Teamcenter versions across all environments and confirm which instances match the affected branches named in the advisory.
• Until patched, limit exposure of Teamcenter services to trusted networks and accounts, following standard defense-in-depth and least-privilege practices.
• Review the Siemens ProductCERT and CISA advisory references for any branch-specific guidance before scheduling maintenance windows.

Evidence notes

Primary evidence comes from CISA CSAF advisory ICSA-26-134-04, which republishes Siemens ProductCERT advisory SSA-827383. The supplied corpus gives a publish date of 2026-05-12 and a CISA republication date of 2026-05-14. The technical description is limited to a hardcoded obfuscation key and possible unauthorized access; no exploit details are provided, and no Known Exploited Vulnerability entry is listed.

Official resources