Cyber Resilience

CVE-2026-25573

High

Published: 10 March 2026

Published
10 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 30.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25573 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Siemens Sicam Siapp Sdk. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25573 is a command injection vulnerability (CWE-73) in the SICAM SIAPP SDK, affecting all versions prior to V2.1.7. The flaw arises because the application constructs shell commands using caller-provided strings and then executes them, enabling an attacker to manipulate the command structure. This can lead to arbitrary command execution and potential full system compromise. The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability without requiring privileges or user interaction, though the attack demands high complexity. By supplying malicious input that influences the shell command construction, the attacker can inject and execute arbitrary commands, achieving high-impact confidentiality, integrity, and availability effects, up to full system compromise.

Siemens Security Advisory SSA-903736, available at https://cert-portal.siemens.com/productcert/html/ssa-903736.html, details mitigation steps, recommending an update to SICAM SIAPP SDK V2.1.7 or later to address the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7). The affected application builds shell commands with caller-provided strings and executes them. An attacker could influence the executed command, potentially resulting in command injection and full system…

more

compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Command injection (CWE-73) in shell command construction directly enables arbitrary command execution via a command interpreter.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25605Same product: Siemens Sicam Siapp Sdk
CVE-2026-25570Same product: Siemens Sicam Siapp Sdk
CVE-2026-25569Same product: Siemens Sicam Siapp Sdk
CVE-2025-40737Same vendor: Siemens
CVE-2026-33893Same vendor: Siemens
CVE-2025-23398Same vendor: Siemens
CVE-2025-27395Same vendor: Siemens
CVE-2025-40746Same vendor: Siemens
CVE-2026-23720Same vendor: Siemens
CVE-2025-23401Same vendor: Siemens

Affected Assets

siemens
sicam siapp sdk
≤ 2.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted caller-provided strings before they are used to construct shell commands, blocking the command-injection vector in the SICAM SIAPP SDK.

prevent

Mandates prompt application of the vendor-supplied patch (upgrade to V2.1.7) that eliminates the unsafe command-construction flaw described in SSA-903736.

prevent

Enforces least-functionality restrictions that can disable or sandbox shell interpreters and command-execution interfaces, limiting the ability of injected commands to achieve full system compromise.

References