PatchSiren cyber security CVE debrief

CVE-2026-6899 Systerel CVE debrief

CVE-2026-6899 is a MEDIUM severity vulnerability in the CycloneCrypto cryptographic wrapper of the S2OPC library. The issue is that the check for certificate revocation only considers the first matching Certificate Revocation List (CRL) and ignores other valid CRLs of the same Certificate Authority (CA). This could potentially allow a connection between an OPC UA client and server using a revoked certificate. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 5.6. The vulnerability was published on [cvePublishedAt] and last modified on [cveModifiedAt].

Vendor: Systerel
Product: S2OPC
CVSS: MEDIUM 5.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-09
Original CVE updated: 2026-06-09
Advisory published: 2026-06-09
Advisory updated: 2026-06-09

Who should care

Users of the S2OPC library, particularly those who rely on certificate revocation checks for secure OPC UA connections, should be aware of this issue. Developers and administrators should review their configurations and consider updating to a version of the library that addresses this vulnerability.

Technical summary

The CycloneCrypto cryptographic wrapper in the S2OPC library has an incomplete certificate revocation check. Specifically, it only considers the first matching CRL and ignores other valid CRLs for the same CA. This could allow connections using revoked certificates.

Defensive priority

MEDIUM

Recommended defensive actions

Review and update S2OPC library configurations to ensure proper certificate revocation checks.
Consider implementing additional security measures for OPC UA connections.

Evidence notes

Evidence for this CVE comes from the official CVE record and the National Vulnerability Database (NVD).

Official resources

CVE-2026-6899 was published on 2026-06-09T09:16:30.737Z and last modified on 2026-06-09T15:25:56.860Z.