CVE-2026-54801
Received Received - Intake

Authentication Bypass in CPCI85 Central Processing System

Vulnerability report for CVE-2026-54801, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Siemens AG

Description

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application contains insufficient validation of authentication credentials when processing administrative account modifications through the web API. This could allow an authenticated attacker to bypass security controls and gain unauthorized elevated privileges.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
siemens cpci85 to 26.20 (exc)
siemens sicore to 26.20.0 (exc)
siemens sicam_a8000 to 26.20 (exc)
siemens sicam_egs to 26.20 (exc)
siemens sicam_s8000 to 26.20 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-620 When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not explicitly mention the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in Siemens CPCI85 Central Processing/Communication and SICORE Base system versions prior to V26.20. It involves insufficient validation of authentication credentials when processing administrative account modifications through the web API.

Because of this flaw, an authenticated attacker could bypass security controls and gain unauthorized elevated privileges, potentially allowing them to perform administrative actions they should not be able to.

Impact Analysis

The vulnerability can allow an attacker who already has some level of authentication to bypass security controls and escalate their privileges to administrative levels.

This could lead to unauthorized administrative modifications, potentially compromising the security and integrity of the affected systems.

For operators of critical power systems and other sensitive environments, this could increase the risk of cyber attacks, service disruption, or unauthorized control.

Mitigation Strategies

To mitigate this vulnerability, Siemens recommends updating affected systems to version V26.20 or later.

Additionally, general security measures should be applied, including protecting network access with firewalls and network segmentation.

It is also advised to validate updates before deployment and ensure that trained staff supervise the update process.

Operators of critical power systems should implement resilient protection measures to minimize cyber risks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54801. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart