Cyber Resilience

CVE-2026-33892

Medium

Published: 14 April 2026

Published
14 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0008 24.6th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33892 is a medium-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-33892 is a vulnerability in Siemens Industrial Edge Management Pro V1 (all versions >= V1.7.6 and < V1.15.17), Industrial Edge Management Pro V2 (all versions >= V2.0.0 and < V2.1.1), and Industrial Edge Management Virtual (all versions >= V2.2.0 and < V2.8.0). The issue stems from affected management systems failing to properly enforce user authentication on remote connections to devices, as classified under CWE-305 (Authentication Bypass by Primary Weakness). It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility and scope change despite requiring user interaction.

An unauthenticated remote attacker can exploit this vulnerability by identifying the specific header and port used for remote connections to devices, provided the remote connection feature is enabled on the target device. Successful exploitation enables the attacker to circumvent authentication, impersonate a legitimate user, and establish a tunnel to the device. However, this does not bypass security features inherent to the device itself, such as app-specific authentication.

For mitigation details, security practitioners should refer to the Siemens Security Advisory at https://cert-portal.siemens.com/productcert/html/ssa-609469.html, which provides guidance on patches and workarounds for the affected versions.

EU & UK References

Vulnerability details

A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions >= V1.7.6 < V1.15.17), Industrial Edge Management Pro V2 (All versions >= V2.0.0 < V2.1.1), Industrial Edge Management Virtual (All versions >= V2.2.0 < V2.8.0). Affected management…

more

systems do not properly enforce user authentication on remote connections to devices. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the attacker has identified the header and port used for remote connections to devices and that the remote connection feature is enabled for the device. Exploitation allows the attacker to tunnel to the device. Security features on this device itself (e.g. app specific authentication) are not affected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The auth bypass on remote device connections directly enables unauthenticated access to external remote services (T1133). The network-accessible management system vulnerability also facilitates exploitation of a public-facing application for initial access (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22153Shared CWE-305
CVE-2024-12802Shared CWE-305
CVE-2025-68435Shared CWE-305
CVE-2025-36386Shared CWE-305
CVE-2026-30849Shared CWE-305
CVE-2025-13915Shared CWE-305
CVE-2025-47776Shared CWE-305
CVE-2026-2652Shared CWE-305
CVE-2026-4670Shared CWE-305
CVE-2026-28536Shared CWE-305

Affected Assets

All
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-17 requires authorization and strong authentication mechanisms for remote access, directly preventing unauthenticated remote connections and impersonation in Industrial Edge Management systems.

prevent

MA-4 mandates strong authenticators and approval for nonlocal maintenance sessions, mitigating authentication bypass on remote device tunneling connections.

prevent

AC-3 enforces approved access control policies including authentication, addressing the core failure to enforce user authentication on remote connections.

References