CVE-2026-25569 Siemens CVE debrief

Who should care

Organizations that use Siemens SICAM SIAPP SDK, especially industrial control system teams, product integrators, and OT security operators responsible for components built with or deployed from affected SDK versions before 2.1.7.

Technical summary

The advisory identifies an out-of-bounds write in SICAM SIAPP SDK, mapped to CWE-787. The provided CVSS vector is CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a local attack path with high complexity and no privileges or user interaction required. Siemens lists the affected product/version range as vers:intdot/<2.1.7 and recommends updating to V2.1.7 or later.

Defensive priority

High for any environment using affected Siemens SICAM SIAPP SDK versions. Prioritize remediation because the flaw can impact confidentiality, integrity, and availability, and the vendor has a specific fixed version.

Recommended defensive actions

• Inventory where Siemens SICAM SIAPP SDK is used and confirm whether any instance is earlier than V2.1.7.
• Apply the vendor fix by updating to V2.1.7 or later.
• If immediate updating is not possible, restrict access to affected systems and minimize local access to hosts running the SDK.
• Review OT/ICS change windows and test the update in a controlled environment before broad deployment.
• Monitor vendor and CISA advisory pages for any follow-up guidance or revision history changes.

Evidence notes

This debrief is based on the CISA-republished Siemens ProductCERT advisory ICSA-26-076-04 / SSA-903736 for CVE-2026-25569. The source text explicitly states an out-of-bounds write in SICAM SIAPP SDK, affected product version vers:intdot/<2.1.7, and remediation to update to V2.1.7 or later. The advisory was published on 2026-03-10 and republished by CISA on 2026-03-17.

Official resources