PatchSiren cyber security CVE debrief
CVE-2025-26389 Siemens CVE debrief
CVE-2025-26389 is a critical Siemens OZW Web Servers vulnerability affecting OZW672 and OZW772. According to the CISA CSAF advisory and Siemens references, the web service does not sanitize input parameters for the `exportDiagramPage` endpoint, which can allow an unauthenticated remote attacker to execute arbitrary code with root privileges. Because the attack is network-based and requires no user interaction or authentication, this issue should be treated as urgent for exposed industrial environments.
- Vendor
- Siemens
- Product
- OZW672
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-13
- Original CVE updated
- 2025-05-13
- Advisory published
- 2025-05-13
- Advisory updated
- 2025-05-13
Who should care
OT/ICS operators and security teams running Siemens OZW672 or OZW772, especially any environment where the web service is reachable from untrusted networks. System integrators, asset owners, and defenders responsible for patching or segmenting Siemens building or industrial control assets should prioritize this advisory.
Technical summary
The advisory describes an input-sanitization failure in the `exportDiagramPage` endpoint of affected Siemens web services. The resulting impact is unauthenticated remote code execution with root privileges. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating a high-severity network-reachable issue with no privileges required and no user interaction needed.
Defensive priority
Immediate. This is a critical, network-reachable RCE affecting OT-facing web services, with no authentication required and full confidentiality, integrity, and availability impact stated in the advisory.
Recommended defensive actions
- Apply the vendor fix and update affected devices to V8.0 or later, as specified in the Siemens remediation guidance.
- Inventory Siemens OZW672 and OZW772 assets and confirm whether the affected web service is deployed or exposed.
- Restrict network access to the web interface and place affected devices behind appropriate segmentation and access controls.
- Review the Siemens and CISA advisory references for product-specific remediation guidance before maintenance windows.
- Validate remediation after patching by confirming the device reports the intended version and that the web service exposure is reduced.
Evidence notes
The debrief is based on the supplied CISA CSAF source item for ICSA-25-135-10 and the embedded Siemens references. The source explicitly states that unsanitized input parameters in `exportDiagramPage` can enable an unauthenticated remote attacker to execute arbitrary code with root privileges. Product scope, remediation version, and severity vector were taken from the provided corpus only.
Official resources
-
CVE-2025-26389 CVE record
CVE.org
-
CVE-2025-26389 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published by CISA and the source advisory on 2025-05-13. Use the advisory publication date, not the debrief generation date, for incident timing context.