Description
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.10), SICORE Base system (All versions < V26.10.0). The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated attacker to exploit this issue by sending a malicious XML request, which may cause the service to crash, resulting in a denial-of-service condition.
Published: 2026-03-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via crash from out‑of‑bounds write
Action: Patch
AI Analysis

Impact

An out‑of‑bounds write occurs when the affected Siemens CPCI85 Central Processing/Communication and SICORE Base system parse specially crafted XML. The vendor data indicates that the write can corrupt memory and crash the service, which results in a denial‑of‑service condition. This weakness is classified as CWE‑787, meaning an unchecked buffer overwrite that can abort normal execution.

Affected Systems

The vulnerability affects all Siemens CPCI85 Central Processing/Communication model versions earlier than V26.10 and all Siemens SICORE Base system releases earlier than V26.10.0. Neither product requires user authentication to interact with the service that processes XML, so any entity able to reach the system can send the malicious payload.

Risk and Exploitability

The CVSS score of 8.7 marks this issue as high severity. Although EPSS data is unavailable and the vulnerability has not been listed in the CISA KEV catalog, the attack vector is inferred to be unauthenticated over the network, allowing remote exploitation. No public exploits are known, but the out‑of‑bounds write may affect service availability whenever the malformed XML is processed, making the exposure significant for operational continuity.

Generated by OpenCVE AI on March 26, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware or software upgrade that includes version V26.10 or later for both CPCI85 and SICORE Base system.
  • If an update cannot be applied immediately, isolate the affected devices by placing them behind a firewall or VLAN and block any XML traffic from unauthenticated sources.
  • Deploy monitoring on the service to detect repeated crash events and alert administrators.
  • Validate that the XML parser accepts only well‑formed documents and consider implementing a strict schema or white‑list approach.
  • Verify the patch by reproducing a test XML send and confirming the service remains stable.

Generated by OpenCVE AI on March 26, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Write in XML Parsing Causing Denial of Service

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Siemens
Siemens cpci85 Central Processing\/communication
Siemens sicore Base System
Vendors & Products Siemens
Siemens cpci85 Central Processing\/communication
Siemens sicore Base System

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.10), SICORE Base system (All versions < V26.10.0). The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated attacker to exploit this issue by sending a malicious XML request, which may cause the service to crash, resulting in a denial-of-service condition.
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Siemens Cpci85 Central Processing\/communication Sicore Base System
cve-icon MITRE

Status: PUBLISHED

Assigner: siemens

Published:

Updated: 2026-04-14T18:24:39.273Z

Reserved: 2026-02-23T10:07:00.531Z

Link: CVE-2026-27664

cve-icon Vulnrichment

Updated: 2026-04-14T18:24:39.273Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T15:16:34.340

Modified: 2026-04-14T19:16:34.283

Link: CVE-2026-27664

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:26:37Z

Weaknesses