CVE-2025-27127
BaseFortify
Publication date: 2025-07-08
Last updated on: 2025-08-12
Assigner: Siemens AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| siemens | tia_portal | * |
| siemens | tia_project-server | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Siemens TIA Project-Server and TIA Portal products by improperly handling uploaded projects in the document root. An attacker with contributor privileges can exploit this by uploading a malicious project, which can cause a denial of service (DoS) condition. It is classified under CWE-434, meaning it involves unrestricted upload of files with dangerous types. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker with contributor privileges to cause a denial of service, disrupting the availability of the affected Siemens automation software. This could interrupt multi-user collaboration and digital automation processes, potentially affecting operational continuity. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update affected Siemens TIA Project-Server products to version V2.1.1 or later, and TIA Portal V20 to Update 3 or later. For TIA Project-Server V17 and TIA Portal versions V17, V18, and V19, where no fixes are available, apply Siemens' recommended security countermeasures, including protecting network access with appropriate mechanisms and configuring the operational environment according to Siemens' Industrial Security guidelines. [1]