ctipilot.ch

Siemens SICAM 8 HTTP-reachable debug interface → authenticated DoS

cve · CVE-2026-54798

Coverage timeline
1
first 2026-07-10 → last 2026-07-10
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
3
see Related entities below
ATT&CK techniques
4
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
Siemens SICAM A8000 CP-8010/CP-8012 (SICORE firmware)Siemens SICAM A8000 CP-8031/CP-8050 (CPCI85 firmware)Siemens SICAM EGS (CPCI85 firmware)Siemens SICAM S8000 (SICORE firmware)

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Persistence TA0003

T1098Account Manipulation×1

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

Evidence: 2026-07-10/siemens-sicam-8-ssa-229470-firmware-signing-bypass · ATT&CK page ↗

Privilege Escalation TA0004

T1098Account Manipulation×1

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

Evidence: 2026-07-10/siemens-sicam-8-ssa-229470-firmware-signing-bypass · ATT&CK page ↗

Defense Impairment TA0112

T1601Modify System Image×1

Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.

Evidence: 2026-07-10/siemens-sicam-8-ssa-229470-firmware-signing-bypass · ATT&CK page ↗

Lateral Movement TA0008

T1210Exploitation of Remote Services×1

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

Evidence: 2026-07-10/siemens-sicam-8-ssa-229470-firmware-signing-bypass · ATT&CK page ↗

Impact TA0040

T1499Endpoint Denial of Service×1

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.

Evidence: 2026-07-10/siemens-sicam-8-ssa-229470-firmware-signing-bypass · ATT&CK page ↗

Story timeline

  1. 2026-07-10Siemens SICAM 8 (A8000/EGS/S8000) grid RTUs: firmware-signature-validation bypass + OPC-UA-off-by-default among four CVEs (SSA-229470)
    trending-vulnerabilitiesSiemens patches a firmware-signing bypass and an insecure OPC UA default in SICAM 8 grid-protection controllers — plan the out-of-band OT update

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • cert-portal.siemens.com1 (50%)
  • cert.ssi.gouv.fr1 (50%)

Related entities

Entries about Siemens SICAM 8 HTTP-reachable debug interface → authenticated DoS (1)

2026-07-10 · view entry permalink →

NOTABLECVE-2026-54799 +3NATOA2

Siemens SICAM 8 (A8000/EGS/S8000) grid RTUs: firmware-signature-validation bypass + OPC-UA-off-by-default among four CVEs (SSA-229470)

Siemens ProductCERT's SSA-229470 covers four flaws in the SICORE base system and CPCI85 central processing/communication firmware that underpin the SICAM A8000 (CP-8010/CP-8012 on SICORE; CP-8031/CP-8050 on CPCI85), SICAM EGS (CPCI85) and SICAM S8000 (SICORE) remote terminal units (Siemens ProductCERT, 2026-07-09). The advisory's stated aggregate impact is denial of service, but the individual issues span further: CVE-2026-54799 (CVSS v3.1 6.7, AV:L/PR:H) is a firmware-update signature-validation flaw that lets an attacker who already holds high privileges install malicious firmware for persistent code execution; CVE-2026-54801 (v3.1 7.2) lets an authenticated attacker bypass credential validation when the web API processes administrative-account modifications and gain elevated privileges; CVE-2026-54800 (v3.1 4.8) is an insecure default that disables all OPC UA security, letting a network attacker reach control functions; and CVE-2026-54798 (v3.1 6.5) is an HTTP-reachable debug interface an authenticated attacker can use to crash the web process. All are fixed in CPCI85 V26.20 / SICORE V26.20.0. CERT-FR/ANSSI republished the advisory the next day as CERTFR-2026-AVI-0860, giving European energy-sector operators a home-region authority citation (CERT-FR/ANSSI, 2026-07-10).

The affected application contains a vulnerability in its firmware update mechanism's signature validation process. This could allow an attacker to install malicious firmware, leading to persistent code execution and system compromise.

The affected application ships with a default configuration that disables all OPC UA security mechanisms. This could allow an attacker to gain unauthorized access and control over critical system functions.

Siemens ProductCERT (SSA-229470) 2026-07-09
vulnerability10 Jul 20:34Zmulti-sourceOpen finding ↗