Description
A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7). The affected application builds shell commands with caller-provided strings and executes them. An attacker could influence the executed command, potentially resulting in command injection and full system compromise.
Published: 2026-03-10
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

The flaw originates from the construction of shell commands that incorporate unsanitized caller input, allowing an attacker to inject arbitrary commands. This leads to remote code execution and can compromise the entire system. The weakness is a classic command injection, identified as CWE‑73.

Affected Systems

Siemens’ SICAM SIAPP SDK, all versions earlier than 2.1.7, was affected by this vulnerability.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, but the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need to supply crafted input to the SDK’s command‑building interface; if successful, and if the process has sufficient privileges, full system compromise is possible.

Generated by OpenCVE AI on April 16, 2026 at 09:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Siemens SICAM SIAPP SDK to version 2.1.7 or later
  • Limit the privileges of the process that runs the SDK to the least required permissions
  • Implement input validation or sanitization on all caller‑supplied parameters before they are used to build shell commands

Generated by OpenCVE AI on April 16, 2026 at 09:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Command Injection via Caller-Provided Strings in Siemens SICAM SIAPP SDK

Thu, 12 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:siemens:sicam_siapp_sdk:*:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Siemens
Siemens sicam Siapp Sdk
Vendors & Products Siemens
Siemens sicam Siapp Sdk

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7). The affected application builds shell commands with caller-provided strings and executes them. An attacker could influence the executed command, potentially resulting in command injection and full system compromise.
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Siemens Sicam Siapp Sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: siemens

Published:

Updated: 2026-03-10T16:41:09.152Z

Reserved: 2026-02-02T23:19:09.478Z

Link: CVE-2026-25573

cve-icon Vulnrichment

Updated: 2026-03-10T16:37:56.379Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:37.367

Modified: 2026-03-12T17:35:09.670

Link: CVE-2026-25573

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses