NCSC | Beveiligingsadviezen
Bekijk RSS-feed

Beveiligingsadviezen

Download

Beveilingsadvies; NCSC-2026-0112 [1.0.0]

Beveiligingsadvies
NCSC-2026-0112 [1.0.0]
Publicatie
14-04-2026 13:37 (Europe/Amsterdam)
Prioriteit
Normaal
Betreft
Kwetsbaarheden verholpen in Siemens producten

Kenmerken

  • Improper Input Validation
  • Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  • Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  • Improper Control of Resource Identifiers ('Resource Injection')
  • Out-of-bounds Read
  • Numeric Truncation Error
  • Incorrect Privilege Assignment
  • Improper Access Control
  • Improper Authentication
  • Authentication Bypass by Spoofing
  • Improper Certificate Validation
  • Authentication Bypass by Primary Weakness
  • Missing Authentication for Critical Function
  • Improper Restriction of Excessive Authentication Attempts
  • Use of a Broken or Risky Cryptographic Algorithm
  • Insufficient Verification of Data Authenticity
  • Origin Validation Error
  • Improper Verification of Cryptographic Signature
  • Improper Validation of Integrity Check Value
  • Uncontrolled Resource Consumption
  • Authorization Bypass Through User-Controlled Key
  • Allocation of Resources Without Limits or Throttling
  • Inclusion of Functionality from Untrusted Control Sphere
  • Loop with Unreachable Exit Condition ('Infinite Loop')
  • Missing Authorization
  • Incorrect Authorization

Omschrijving

Siemens heeft kwetsbaarheden verholpen in diverse producten zoals Analytics Toolkit, Ruggedcom, Industrial Edge Management Pro, SIDIS en TPM.

De kwetsbaarheden stellen een kwaadwillende mogelijk in staat aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:

  • Denial-of-Service (DoS)
  • Manipulatie van gegevens
  • Omzeilen van een beveiligingsmaatregel
  • (Remote) code execution (root/admin rechten)
  • Toegang tot systeemgegevens
  • Verhogen van rechten

Voor succesvol misbruik van de genoemde kwetsbaarheden moet de kwaadwillende toegang hebben tot de productie-omgeving. Het is goed gebruik een dergelijke omgeving niet publiek toegankelijk te hebben.

Oplossingen

Siemens heeft beveiligingsupdates uitgebracht om de kwetsbaarheden te verhelpen. Voor de kwetsbaarheden waar nog geen updates voor zijn, heeft Siemens mitigerende maatregelen gepubliceerd om de risico's zoveel als mogelijk te beperken. Zie de bijgevoegde referenties voor meer informatie.

Referenties

CVE's

Producten

Siemens
6AG1206-2BB00-7AC2 Firmware
6Ag1206-2Bs00-7Ac2 Firmware
6Ag1208-0Ba00-7Ac2 Firmware
6Ag1216-4Bs00-7Ac2 Firmware
6GK5204-0BA00-2GF2 Firmware
6GK5204-0BA00-2YF2 Firmware
6GK5205-3BB00-2AB2 FIRMWARE
6GK5205-3BB00-2AB2 Firmware
6GK5205-3BB00-2TB2 Firmware
6GK5205-3BF00-2TB2 FIRMWARE
6GK5206-2BD00-2AC2 Firmware
6GK5206-2GS00-2AC2 Firmware
6GK5206-2GS00-2TC2 Firmware
6GK5206-2RS00-2AC2 Firmware
6GK5208-0BA00-2AB2 Firmware
6GK5208-0BA00-2AC2 Firmware
6GK5208-0BA00-2FC2 Firmware
6GK5208-0GA00-2AC2 Firmware
6GK5208-0GA00-2FC2 Firmware
6GK5208-0GA00-2TC2 Firmware
6GK5632-2GS00-2AC2 FIRMWARE
6GK5646-2GS00-2AC2 FIRMWARE
6GK5721-1FC00-0AB0 FIRMWARE
6GK5722-1FC00-0AB0 FIRMWARE
6GK5734-1FX00-0AA0 FIRMWARE
BFCClient
CP 1243-1 Firmware (OS)
CP 1243-7 LTE EU Firmware (OS)
CP 1243-7 LTE US Firmware (OS)
CP 1243-8 IRC Firmware (OS)
CP 1542SP-1 Firmware (OS)
Industrial Edge - Machine Insight App
Industrial Edge - OPC UA Connector
Industrial Edge - Opc Ua Connector
Industrial Edge - PROFINET IO Connector
Industrial Edge - SIMATIC S7 Connector App
Industrial Edge - Simatic S7 Connector App
Industrial Edge Management
Industrial Edge Management Pro V1
Industrial Edge Management Pro V2
Industrial Edge Management Virtual
Open PCS 7
OpenPCS 7 V8.2
OpenPCS 7 V9.0
OpenPCS 7 V9.1
ROX II Firmware
RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P)
RUGGEDCOM CROSSBOW Station Access Controller (SAC)
RUGGEDCOM RM1224 Firmware
RUGGEDCOM RM1224 LTE(4G) EU
RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2)
RUGGEDCOM RM1224 LTE(4G) NAM
RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2)
RUGGEDCOM RM1224 LTE4G
RUGGEDCOM ROX MX5000
RUGGEDCOM ROX MX5000RE
RUGGEDCOM ROX RX1400
RUGGEDCOM ROX RX1500
RUGGEDCOM ROX RX1500 FIRMWARE
RUGGEDCOM ROX RX1501
RUGGEDCOM ROX RX1510
RUGGEDCOM ROX RX1510 FIRMWARE
RUGGEDCOM ROX RX1511
RUGGEDCOM ROX RX1512
RUGGEDCOM ROX RX1524
RUGGEDCOM ROX RX1524 (Hardware)
RUGGEDCOM ROX RX1536
RUGGEDCOM ROX RX5000
RUGGEDCOM RX1400 (Firmware)
Ruggedcom Rm1224 Lte Eu
Ruggedcom Rm1224 Lte Nam
Ruggedcom Rox Mx5000
Ruggedcom Rox Rx1500
Ruggedcom Rox Rx1501
Ruggedcom Rox Rx1512
SCALANCE M816-1 (Hardware)
SCALANCE M826-2 (Hardware)
SCALANCE M874-2 (Hardware)
SCALANCE M876-3 (Hardware)
SCALANCE M876-4 (Hardware)
SCALANCE MUM856-1 (Hardware)
SCALANCE S615
SCALANCE SC-600 Firmware
SCALANCE SC622-2C

Disclaimer

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.