CVE-2026-25573
Published: 10 March 2026
Summary
CVE-2026-25573 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Siemens Sicam Siapp Sdk. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25573 is a command injection vulnerability (CWE-73) in the SICAM SIAPP SDK, affecting all versions prior to V2.1.7. The flaw arises because the application constructs shell commands using caller-provided strings and then executes them, enabling an attacker to manipulate the command structure. This can lead to arbitrary command execution and potential full system compromise. The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker can exploit this vulnerability without requiring privileges or user interaction, though the attack demands high complexity. By supplying malicious input that influences the shell command construction, the attacker can inject and execute arbitrary commands, achieving high-impact confidentiality, integrity, and availability effects, up to full system compromise.
Siemens Security Advisory SSA-903736, available at https://cert-portal.siemens.com/productcert/html/ssa-903736.html, details mitigation steps, recommending an update to SICAM SIAPP SDK V2.1.7 or later to address the vulnerability.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10528
Vulnerability details
A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7). The affected application builds shell commands with caller-provided strings and executes them. An attacker could influence the executed command, potentially resulting in command injection and full system…
more
compromise.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection (CWE-73) in shell command construction directly enables arbitrary command execution via a command interpreter.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted caller-provided strings before they are used to construct shell commands, blocking the command-injection vector in the SICAM SIAPP SDK.
Mandates prompt application of the vendor-supplied patch (upgrade to V2.1.7) that eliminates the unsafe command-construction flaw described in SSA-903736.
Enforces least-functionality restrictions that can disable or sandbox shell interpreters and command-execution interfaces, limiting the ability of injected commands to achieve full system compromise.