Full Report
Siemens gPROMS Web Applications Publisher (gWAP) is affected by a remote code execution vulnerability introduced through a third-party component, namely the Axios HTTP client library. The vulnerability stems from a specific “Gadget” attack chain that allows prototype pollution in other third-party libraries, potentially allowing an attacker to execute arbitrary code. Siemens has released a new version for gWAP and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Remote Code Execution via Axios Prototype Pollution in Siemens gWAP
## CVE Details
- **CVE ID:** CVE-2026-40175
- **CVSS Score:**
- **v4.0:** 8.9 (High)
- **v3.1:** 8.0 (High)
- **CWE:** CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers
## Affected Systems
- **Products:** Siemens gPROMS Web Applications Publisher (gWAP)
- **Versions:** All versions prior to V3.1.1
- **Configurations:** Systems utilizing the integrated Axios HTTP client library (versions prior to 1.15.0 or 0.3.1).
## Vulnerability Description
The vulnerability originates in the **Axios** third-party HTTP client library. It involves a specific "Gadget" attack chain where improper handling of CRLF sequences/HTTP headers allows for **Prototype Pollution**.
In the context of Siemens gWAP, this pollution can be escalated through other third-party dependencies to achieve **Remote Code Execution (RCE)**. Specifically, the gadget chain can also be leveraged for full cloud compromise by bypassing AWS Instance Metadata Service (IMDSv2) protections.
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild; however, the complex "Gadget" chain implies high technical sophistication.
- **Complexity:** High (Requires specific gadget chains in dependencies and high-level internal knowledge).
- **Attack Vector:** Network (Attacker requires privileged access to the gWAP application to execute the exploit).
## Impact
- **Confidentiality:** High (Potential for full data access/Cloud identity theft).
- **Integrity:** High (Arbitrary code execution allows for system modification).
- **Availability:** High (Potential for system takeover or service disruption).
## Remediation
### Patches
- **Siemens gWAP:** Update to **V3.1.1** or later.
- Download via Siemens Support Center: hxxps://support[.]sw[.]siemens[.]com/product/284395347/
### Workarounds
- No specific software workaround is provided. Siemens recommends following "General Security Recommendations" to limit exposure.
## Detection
- **Indicators of Compromise:** Monitor for unusual HTTP request headers containing CRLF injections or attempts to access IMDSv2 metadata (169.254.169.254) from the gWAP application server.
- **Detection Methods:**
- Audit `package-lock.json` or `yarn.lock` files for Axios versions older than 1.15.0 or 0.3.1.
- Implement Web Application Firewall (WAF) rules to detect and block Prototype Pollution payloads and CRLF injection patterns.
## References
- **Siemens Advisory:** SSA-876049
- **ProductCERT Link:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-876049[.]html
- **General Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security