CVE-2025-26389 — Vulnetix

CVE-2025-26389 PUBLISHED CVSS 10 CRITICAL

A vulnerability has been identified in OZW672 (All versions < V8.0), OZW772 (All versions < V8.0). The web service in affected devices does not sanitize the input parameters required for the `exportDiagramPage` endpoint. This could allow an unauthenticated remote attacker to execute arbitrary code with root privileges.

EPSS 1.11% · 78.4th percentile

Risk Scores

CVSS v3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

1.11%

78.4th percentile

Affected Products

Vendor	Product	Versions
siemens	ozw772_firmware	0
siemens	ozw672_firmware	0
Siemens	OZW772	0
Siemens	OZW672	0

Timeline

May 13, 2025 EPSS Score
May 13, 2025 CVE Published
May 15, 2025 PoC Published
May 24, 2025 EPSS Score
May 31, 2025 Coalition ESS Score
Jun 5, 2025 EPSS Score
Jun 16, 2025 EPSS Score
Jun 28, 2025 EPSS Score
Jul 9, 2025 EPSS Score
Jul 20, 2025 EPSS Score
Aug 1, 2025 EPSS Score
Aug 12, 2025 EPSS Score

References

https://cert-portal.siemens.com/productcert/html/ssa-047424.html url
https://nvd.nist.gov/vuln/detail/CVE-2025-26389 advisory

Open in Interactive Console →