CVE-2026-25573

High

Published: 10 March 2026

Published

10 March 2026

Modified

12 March 2026

KEV Added

—

Patch

—

CVSS Score 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25573 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Siemens Sicam Siapp Sdk. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Command and Scripting Interpreter (T1059).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-73

Rejects externally supplied file or resource identifiers that fail validity checks.

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Command injection (CWE-73) in shell command construction directly enables arbitrary command execution via a command interpreter.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7). The affected application builds shell commands with caller-provided strings and executes them. An attacker could influence the executed command, potentially resulting in command injection and full system…

compromise.

Deeper analysisAI

CVE-2026-25573 is a command injection vulnerability (CWE-73) in the SICAM SIAPP SDK, affecting all versions prior to V2.1.7. The flaw arises because the application constructs shell commands using caller-provided strings and then executes them, enabling an attacker to manipulate the command structure. This can lead to arbitrary command execution and potential full system compromise. The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability without requiring privileges or user interaction, though the attack demands high complexity. By supplying malicious input that influences the shell command construction, the attacker can inject and execute arbitrary commands, achieving high-impact confidentiality, integrity, and availability effects, up to full system compromise.

Siemens Security Advisory SSA-903736, available at https://cert-portal.siemens.com/productcert/html/ssa-903736.html, details mitigation steps, recommending an update to SICAM SIAPP SDK V2.1.7 or later to address the vulnerability.

Details

CWE(s): CWE-73

Affected Products

siemens

sicam siapp sdk

≤ 2.17

CVEs Like This One

CVE-2026-25605Same product: Siemens Sicam Siapp Sdk

CVE-2026-25569Same product: Siemens Sicam Siapp Sdk

CVE-2026-25570Same product: Siemens Sicam Siapp Sdk

CVE-2025-24956Same vendor: Siemens

CVE-2025-23400Same vendor: Siemens

CVE-2026-23715Same vendor: Siemens

CVE-2026-23719Same vendor: Siemens

CVE-2025-27392Same vendor: Siemens

CVE-2026-25655Same vendor: Siemens

CVE-2025-23402Same vendor: Siemens

References

https://cert-portal.siemens.com/productcert/html/ssa-903736.html
Vendor Advisory · productcert@siemens.com