CVE-2026-54800
Received Received - Intake

OPC UA Security Bypass in CPCI85 and SICORE Base

Vulnerability report for CVE-2026-54800, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Siemens AG

Description

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application ships with a default configuration that disables all OPC UA security mechanisms. This could allow an attacker to gain unauthorized access and control over critical system functions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
siemens cpci85 to 26.20 (exc)
siemens sicore_base_system to 26.20.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the CPCI85 Central Processing/Communication and SICORE Base system products from Siemens, specifically in all versions before V26.20 and V26.20.0 respectively.

The affected applications ship with a default configuration that disables all OPC UA security mechanisms.

Because of this, an attacker could exploit the lack of security to gain unauthorized access and control over critical system functions.

Impact Analysis

The vulnerability could allow an attacker to gain unauthorized access and control over critical system functions.

This unauthorized control could lead to disruption of operations, manipulation of system behavior, or compromise of sensitive processes managed by the affected systems.

Compliance Impact

The vulnerability involves a default configuration that disables all OPC UA security mechanisms, potentially allowing unauthorized access and control over critical system functions. This lack of security controls could lead to non-compliance with standards and regulations that require protection of sensitive data and critical infrastructure, such as GDPR and HIPAA.

Siemens recommends updating to the latest versions and implementing security best practices like network segmentation and access protection to mitigate risks. Failure to address these vulnerabilities could increase the risk of unauthorized access, which may result in violations of regulatory requirements related to data protection and system integrity.

Mitigation Strategies

To mitigate this vulnerability, Siemens recommends updating affected systems to version V26.20 or later.

Additionally, general security measures should be applied, including protecting network access with firewalls and network segmentation.

It is also advised to validate updates before deployment and ensure that trained staff supervise the update process.

Operators of critical power systems should implement resilient protection measures to minimize cyber risks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54800. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart