CVE-2026-25573 Siemens CVE debrief

Who should care

Organizations using Siemens SICAM SIAPP SDK, especially product teams embedding the SDK, industrial/OT operators, and security teams responsible for patching or validating Siemens-based applications and appliances.

Technical summary

The advisory identifies unsafe shell-command construction in Siemens SICAM SIAPP SDK. A caller-controlled string can influence the executed command, making command injection possible. The supplied CVSS vector is CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, which CISA lists as HIGH severity. Siemens' remediation is to update to V2.1.7 or later. No KEV listing was provided in the source corpus.

Defensive priority

High

Recommended defensive actions

• Update Siemens SICAM SIAPP SDK to V2.1.7 or later.
• Inventory products and integrations that include or depend on the affected SDK.
• Review any code paths that pass caller-controlled data into shell or command execution routines.
• Apply least-privilege and defense-in-depth controls to limit blast radius if command execution is abused.
• Use CISA ICS recommended practices and vendor guidance to harden affected deployments.

Evidence notes

Primary evidence comes from CISA's CSAF advisory ICSA-26-076-04, which republishes Siemens ProductCERT advisory SSA-903736. The source text states that the affected application builds shell commands with caller-provided strings and executes them, enabling command injection and possible full system compromise. The affected product/version is Siemens SICAM SIAPP SDK versions prior to 2.1.7, and the remediation is to update to V2.1.7 or later. The provided CVSS vector is CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. No Known Exploited Vulnerabilities entry was included in the corpus.

Official resources