Cyber Resilience

CVE-2026-33893

High

Published: 12 May 2026

Published
12 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33893 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Siemens Teamcenter. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Private Keys (T1552.004); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability has been identified in Teamcenter V2312 (All versions < V2312.0014), Teamcenter V2406 (All versions < V2406.0012), Teamcenter V2412 (All versions < V2412.0009), Teamcenter V2506 (All versions < V2506.0005), Teamcenter V2512 (All versions). The affected application contains hardcoded key…

more

which is used for obfuscation stored directly into the application. This could allow an attacker to obtain these keys and misuse them to gain unauthorized access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.004 Private Keys Credential Access
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
Why these techniques?

Hardcoded obfuscation key (CWE-798) directly represents unsecured private key material that can be extracted and abused for unauthorized access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23363Same product: Siemens Teamcenter
CVE-2026-33862Same product: Siemens Teamcenter
CVE-2025-40737Same vendor: Siemens
CVE-2025-23398Same vendor: Siemens
CVE-2025-27395Same vendor: Siemens
CVE-2025-40746Same vendor: Siemens
CVE-2026-23720Same vendor: Siemens
CVE-2025-23401Same vendor: Siemens
CVE-2026-23715Same vendor: Siemens
CVE-2026-23716Same vendor: Siemens

Affected Assets

siemens
teamcenter
2312.0 — 2312.0014 · 2406.0 — 2406.0012 · 2412.0 — 2412.0009

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

addresses: CWE-798

Policy and procedures prohibit hard-coded credentials in favor of managed authentication.

addresses: CWE-798

External identity providers eliminate the need for hard-coded credentials in applications.

addresses: CWE-798

Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.

addresses: CWE-798

Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.

addresses: CWE-798

Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.

addresses: CWE-798

Planned investment enables secure credential storage and management systems instead of hard-coded credentials.

References