Full Report
The web server in SENTRON 7KT PAC1261 Data Manager Before V2.1.0 contains a request smuggling vulnerability in the Go Project’s net/http package that could allow an attacker to retrieve authorization tokens that can be used to gain administrative control over the device. Siemens has released a new version for SENTRON 7KT PAC1261 Data Manager and recommends to update to the latest version.
Analysis Summary
# Vulnerability: HTTP Request Smuggling in SENTRON 7KT PAC1261 Data Manager
## CVE Details
- **CVE ID:** CVE-2025-22871
- **CVSS Score:** 9.1 (Critical) / CVSS v4.0: 9.3 (Critical)
- **CWE:** CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
## Affected Systems
- **Products:** SENTRON 7KT PAC1261 Data Manager (Multichannel current measuring system)
- **Versions:** All versions prior to V2.1.0
- **Configurations:** The device web server must be accessible through an upstream proxy or secondary web server that incorrectly interprets a bare Line Feed (LF) in a HTTP packet chunk extension.
## Vulnerability Description
The vulnerability originates in the Go Project’s `net/http` package used by the device's web server. The package improperly accepts a bare Line Feed (LF) character as a line terminator in chunked data "chunk-size" lines.
If an upstream proxy or load balancer treats the bare LF as part of a "chunk-ext" (chunk extension) while the backend SENTRON device interprets it as a terminator, an attacker can "smuggle" a second HTTP request inside the body of a legitimate request. This inconsistency allows the attacker to bypass security controls or, as specifically noted for this device, retrieve authorization tokens to gain administrative control.
## Exploitation
- **Status:** Not explicitly reported as exploited in the wild (Advisory release date May 2026).
- **Complexity:** Low (exploitable if the network architecture includes a vulnerable proxy).
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Ability to retrieve administrative authorization tokens).
- **Integrity:** High (Potential for administrative control over the device).
- **Availability:** None (Per CVSS vector VA:N).
## Remediation
### Patches
- **SENTRON 7KT PAC1261 Data Manager:** Update to **V2.1.0** or later.
- Firmware Download: hxxps[://]support[.]industry[.]siemens[.]com/cs/ww/en/view/109977717/
### Workarounds
- **Encrypted Protocols:** Use encrypted protocols (HTTPS) to secure communications.
- **Network Segmentation:** Protect network access to devices using appropriate hardware/software mechanisms.
- **Operational Guidelines:** Ensure the device is operated in a protected IT environment according to Siemens' Industrial Security guidelines.
## Detection
- **Indicators of Compromise:** Unusual administrative logins or unauthorized configuration changes.
- **Detection Methods and Tools:** Monitor network traffic for HTTP requests containing non-standard line terminators (bare LFs in chunked transfer encoding) originating from upstream proxies. Auditing logs for unexpected administrative token usage.
## References
- **Siemens Security Advisory:** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-783943[.]pdf
- **Siemens Industrial Security Home:** hxxps[://]www[.]siemens[.]com/industrialsecurity
- **Operational Guidelines:** hxxps[://]www[.]siemens[.]com/cert/operational-guidelines-industrial-security