CVE-2025-26390 Siemens CVE debrief

Who should care

Operators and administrators of Siemens OZW672 and OZW772 devices, OT/ICS security teams, and anyone responsible for monitoring or hardening Siemens web-facing control infrastructure.

Technical summary

The advisory describes SQL injection in the web service used to check authentication data on affected Siemens OZW devices. The impact is authentication bypass, allowing an unauthenticated remote attacker to obtain Administrator access. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical), indicating remote, low-complexity exploitation with high confidentiality, integrity, and availability impact. The affected product set in the supplied source data is Siemens OZW672 and OZW772, with remediation to update to V6.0 or later.

Defensive priority

Immediate

Recommended defensive actions

• Update Siemens OZW672 and OZW772 devices to V6.0 or later using the vendor remediation links in the advisory.
• Review exposure of the affected web service and restrict access to trusted management networks where feasible.
• Monitor for abnormal authentication activity or unexpected Administrator logins on affected devices.
• Apply CISA and ICS defense-in-depth guidance for segmentation, access control, and monitoring in OT environments.
• Validate that asset inventories include OZW672 and OZW772 so patching can be confirmed and tracked.

Evidence notes

This debrief is based only on the supplied CISA CSAF source item ICSA-25-135-10, its Siemens references, and the provided CVE metadata. The source text states the issue is SQL injection during authentication checking and that a remote unauthenticated attacker could bypass authentication and become Administrator. The supplied remediation is to update to V6.0 or later for both affected products. No KEV entry was provided in the enrichment data.

Official resources