VDB
ICSA-26-015-08
ICSA-26-015-08
PUBLISHED
CVSS 10 CRITICAL
Siemens Industrial Edge Devices contain an authorization bypass vulnerability that could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Risk Scores
CVSS 3.1
10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| SIMATIC HMI MTP1000 Unified Comfort Panel hygienic neutral design (6AV2128-3KB70-0AX0) | ||
| SIMATIC HMI MTP1000 Unified Comfort Panel hygienic (6AV2128-3KB40-0AX0) | ||
| Industrial Edge Own Device (IEOD) | ||
| SIMATIC HMI MTP1200 Unified Comfort Panel hygienic (6AV2128-3MB40-0AX0) | ||
| SIMATIC HMI MTP1200 Comfort Pro neutral design for stand (expandable, flange at the bottom) (6AV2128-3MB57-1BX0) | ||
| SIMATIC HMI MTP1200 Comfort Pro neutral design for support arm (expandable, round tube) and extensio (6AV2128-3MB57-0BX0) | ||
| SIMATIC Automation Workstation 19" (6AV7256-6CA01-0FP0) | ||
| SCALANCE LPE9433 (6GK5998-3GS11-2AC2) | ||
| SIMATIC HMI MTP1200 Comfort Pro neutral design for support arm (not extendable, flange on top) (6AV2128-3MB57-0AX0) | ||
| SIMATIC HMI MTP1000 Unified Comfort Panel (6AV2128-3KB06-0AX1) | ||
| SCALANCE LPE9413 (6GK5998-3GS01-2AC2) | ||
| Industrial Edge Cloud Device (IECD) | ||
| SIMATIC HMI MTP1200 Unified Comfort Panel (6AV2128-3MB06-0AX1) | ||
| SIMATIC HMI MTP1000, Unified Comfort Panel neutral (6AV2128-3KB36-0AX1) | ||
| Industrial Edge Virtual Device (IEVD) | ||
| SIMATIC HMI MTP1200 Comfort Pro for support arm (expandable, round tube) and extension unit (6AV2128-3MB27-0BX0) | ||
| SIMATIC HMI MTP1200 Comfort Pro for stand (expandable, flange at the bottom) (6AV2128-3MB27-1BX0) | ||
| SIMATIC HMI MTP1200 Unified Comfort Panel hygienic neutral design (6AV2128-3MB70-0AX0) | ||
| SIMATIC Automation Workstation 24" (6AV7256-6CA00-0FP0) | ||
| SIMATIC HMI MTP1200 Comfort Pro for support arm (not extendable, flange on top) (6AV2128-3MB27-0AX0) |
Timeline
- Jan 13, 2026 CVE Published
- Jan 14, 2026 CVE Updated
References
- https://cert-portal.siemens.com/productcert/csaf/ssa-001536.json advisory
- https://cert-portal.siemens.com/productcert/html/ssa-001536.html advisory
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2026/icsa-26-015-08.json advisory
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-08 advisory
- https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01 url
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices url
- https://www.cisa.gov/topics/industrial-control-systems url
- https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf url
- https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf url
- https://www.cisa.gov/news-events/news/targeted-cyber-intrusion-detection-and-mitigation-strategies-update-b url
- https://docs.industrial-operations-x.siemens.cloud/r/en-us/v1.24.2/industrial-edge-own-device/release-notes fix
- https://docs.industrial-operations-x.siemens.cloud/r/en-us/v1.24.2/industrial-edge-virtual/cloud-device/release-notes fix
- https://docs.industrial-operations-x.siemens.cloud/r/en-us/v1.25/one-db-simatic-iot2050-industrial-edge-device/all-release-notes/release-notes-v1.25 fix
- https://docs.eu1.edge.siemens.cloud/release_notes/device_release_notes/LPE9413.html fix
- https://docs.eu1.edge.siemens.cloud/release_notes/device_release_notes/SCALANCELPE9433Integrated.html fix
- https://support.industry.siemens.com/cs/ww/en/view/109825605/ fix
- https://docs.industrial-operations-x.siemens.cloud/r/en-us/v3.1/simatic-ipc-ied-os/release-notes fix