Full Report
OZW672 and OZW772 Web Server versions contain vulnerabilities that could allow an attacker to execute arbitrary code on the device with root privileges (in versions before V8.0) or to authenticate as Administrator user (in versions before V6.0). Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Critical Remote Code Execution and Authentication Bypass in Siemens OZW Web Servers
## CVE Details
- CVE ID: CVE-2025-26389 (Arbitrary Code Execution)
- CVSS Score: 10.0 (Critical)
- CWE: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CVE ID: CVE-2025-26390 (Authentication Bypass)
- CVSS Score: 9.8 (Critical)
- CWE: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
## Affected Systems
- Products: OZW672 Web Server, OZW772 Web Server
- Versions:
- For **CVE-2025-26389 (RCE)**: All versions before V8.0 for both OZW672 and OZW772.
- For **CVE-2025-26390 (Auth Bypass)**: All versions before V6.0 for both OZW672 and OZW772.
- Configurations: N/A (Applies to general operation of the web server service).
## Vulnerability Description
Two critical flaws exist in the OZW Web Server:
1. **CVE-2025-26389 (OS Command Injection)**: The web service fails to properly sanitize input parameters for the `exportDiagramPage` endpoint. This allows an unauthenticated remote attacker to inject operating system commands, resulting in **arbitrary code execution with root privileges**.
2. **CVE-2025-26390 (SQL Injection)**: A SQL injection vulnerability exists within the authentication check mechanism of the web service. This allows an unauthenticated remote attacker to bypass login procedures and **authenticate as the Administrator user**.
## Exploitation
- Status: Information provided suggests high impact; PoC or in-the-wild status is not explicitly stated, but the Critical CVSS score strongly implies exploitability. (Assume PoC available due to common vulnerability types and criticality).
- Complexity: Low (CVE-2025-26389 requires unauthenticated network access; CVE-2025-26390 is a standard injection attack).
- Attack Vector: Network (Remote, Unauthenticated).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2025-26389 (RCE) | High (Root access) | High (Root access) | High (Device compromise) |
| CVE-2025-26390 (Auth Bypass) | High (Privilege escalation) | High (Unauthorized control) | Moderate (Service disruption possible) |
## Remediation
### Patches
Immediate upgrade to the following versions is mandatory:
* **For CVE-2025-26389 protection:** Update to **Version V8.0 or later** for both OZW672 and OZW772.
* **For CVE-2025-26390 protection:** Update to **Version V6.0 or later** for both OZW672 and OZW772.
*(Note: A single upgrade to V8.0 or later will mitigate both vulnerabilities.)*
### Workarounds
* **Network Protection:** As a general security measure, Siemens strongly recommends protecting network access to affected devices using appropriate mechanisms (e.g., network segmentation, firewall rules).
* Follow general security practices to maintain a protected IT environment for the devices.
## Detection
- **Indicators of Compromise:** Examination of system logs for unexpected command execution originating from the web service process, or signs of unauthorized administrative logins.
- **Detection Methods/Tools:** Network monitoring for unusual traffic directed at the web server endpoints, specifically targeting the `exportDiagramPage` function parameters. IDS/IPS systems should be configured to detect known OS Command Injection or SQL Injection signatures targeting these services.
## References
- Vendor Advisory: Siemens SSA-047424
- Siemens Product Support Link (OZW672): hxxps://support.industry.siemens.com/cs/ww/en/view/62567396/
- Siemens Product Support Link (OZW772): hxxps://support.industry.siemens.com/cs/ww/en/view/62564534/
- Siemens ProductCERT Advisories: hxxps://www.siemens.com/cert/advisories