CVE-2026-25573
Received Received - Intake
Command Injection in SICAM SIAPP SDK Allows Full System Compromise

Publication date: 2026-03-10

Last updated on: 2026-03-12

Assigner: Siemens AG

Description
A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7). The affected application builds shell commands with caller-provided strings and executes them. An attacker could influence the executed command, potentially resulting in command injection and full system compromise.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25573
EUVD
EUVD-2026-10528
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
siemens sicam_siapp_sdk to 2.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the SICAM SIAPP SDK versions earlier than 2.1.7. The affected application constructs shell commands using strings provided by the caller and then executes these commands. Because the input is not properly sanitized, an attacker can manipulate the command being executed, leading to command injection.

This command injection vulnerability (CWE-73) allows an attacker to execute arbitrary commands on the system, potentially resulting in full system compromise.

Impact Analysis

[{'type': 'paragraph', 'content': 'Exploitation of this vulnerability can lead to an attacker executing arbitrary commands on the affected system, which may result in full system compromise.'}, {'type': 'paragraph', 'content': "This could allow unauthorized access, control over the system, data corruption, denial of service, or other malicious activities depending on the attacker's intent."}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the command injection vulnerability in SICAM SIAPP SDK versions earlier than 2.1.7, it is recommended to update the SDK to version 2.1.7 or later.

Additional mitigation steps include applying Siemens’ security updates using the recommended tooling and procedures, validating updates prior to deployment, and protecting network access through firewalls, network segmentation, and VPNs.

Operators of critical power systems should ensure multi-level redundant secondary protection schemes are in place to minimize cyber incident risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25573. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart