Cyber Resilience

CVE-2025-26389

CriticalRCE

Published: 13 May 2025

Published
13 May 2025
Modified
06 October 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0111 78.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26389 is a critical-severity OS Command Injection (CWE-78) vulnerability in Siemens Ozw672 Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 21.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2025-26389 affects the web service in Siemens OZW672 and OZW772 devices running all versions prior to V8.0. Insufficient sanitization of input parameters for the exportDiagramPage endpoint allows command injection, as indicated by the associated CWE-78 classification and a maximum CVSS 4.0 score of 10.0.

An unauthenticated remote attacker can exploit the flaw over the network without authentication or user interaction to execute arbitrary code with root privileges on the device, achieving full system compromise including confidentiality, integrity, and availability impacts.

The Siemens security advisory at https://cert-portal.siemens.com/productcert/html/ssa-047424.html addresses mitigation steps and patch availability for the affected products. The EPSS score remains flat at a low value of 0.0111 with no material increase observed.

EU & UK References

Vulnerability details

A vulnerability has been identified in OZW672 (All versions < V8.0), OZW772 (All versions < V8.0). The web service in affected devices does not sanitize the input parameters required for the `exportDiagramPage` endpoint. This could allow an unauthenticated remote attacker…

more

to execute arbitrary code with root privileges.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

siemens
ozw672 firmware
≤ 8.0
siemens
ozw772 firmware
≤ 8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References