CVE-2026-41551 Cert Portal CVE debrief

Who should care

OT/ICS operators using Siemens ROS#, asset owners exposing file_server, and defenders responsible for network segmentation and patch management should prioritize this issue. It is especially relevant where ROS# is reachable from less-trusted networks or used beyond its intended file-transfer role.

Technical summary

The advisory describes a path traversal flaw caused by improper sanitization of user input. In affected Siemens ROS# versions before 2.2.2, a remote attacker could exploit this weakness to access arbitrary files on the device. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating network reachability with no privileges or user interaction required and high confidentiality and integrity impact.

Defensive priority

Immediate

Recommended defensive actions

• Update Siemens ROS# to v2.2.2 or later.
• If patching is delayed, run file_server on a trusted network only.
• Run file_server with appropriate user rights.
• Use file_server only for its intended URDF-transfer task, not as a continuously running background service.
• Use file_server only when manual file transfer is not possible.

Evidence notes

Based on CISA’s republished CSAF advisory ICSA-26-134-08 and Siemens ProductCERT advisory SSA-357982, both describing the same path traversal issue in Siemens ROS# before 2.2.2. The advisory references CWE-23 and a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. The vendor field in the intake data is low-confidence and needs review; the advisory text itself supports Siemens ROS# as the affected product.

Official resources