CVE-2026-25570 Siemens CVE debrief

Who should care

Siemens customers, system integrators, and developers who use or embed the SICAM SIAPP SDK in industrial or control-system software should prioritize this issue.

Technical summary

The advisory scope identifies Siemens SICAM SIAPP SDK versions before V2.1.7 as affected (vers:intdot/<2.1.7). The flaw is described as missing input validation that can result in a stack overflow, with the supplied reference to CWE-121. CISA lists CVSS v3.1 as AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, which indicates potentially severe impact if an attacker can reach the vulnerable code path, but with local access and high attack complexity.

Defensive priority

High. Patch any affected deployments promptly, especially where the SDK is incorporated into operational or safety-critical software. Inventory downstream products that bundle the SDK and move them to V2.1.7 or later.

Recommended defensive actions

• Identify all products, builds, and devices that include Siemens SICAM SIAPP SDK and confirm whether they are below V2.1.7.
• Apply the vendor fix and update to V2.1.7 or later, then rebuild and redeploy any software that embeds the SDK.
• Validate exposure against Siemens ProductCERT SSA-903736 and CISA ICSA-26-076-04, including any downstream packages or OEM integrations.
• Use industrial-control-system defense-in-depth practices and increase monitoring on systems that cannot be patched immediately.

Evidence notes

The supplied CISA CSAF source item for ICSA-26-076-04 names Siemens SICAM SIAPP SDK vers:intdot/<2.1.7 as the affected product, states that unchecked input values can cause a stack overflow, and says this may enable code execution and denial of service. The same source item includes the remediation to update to V2.1.7 or later and provides CVSS v3.1 AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The source metadata also records that CISA republished Siemens ProductCERT advisory SSA-903736 on 2026-03-17 after the initial publication date of 2026-03-10.

Official resources