ctipilot.ch
← Back to the live brief
NOTABLECVE-2026-54799 +3NATOA2vulnerability

Siemens SICAM 8 (A8000/EGS/S8000) grid RTUs: firmware-signature-validation bypass + OPC-UA-off-by-default among four CVEs (SSA-229470)

discovered 2026-07-10 20:34 UTCrun 2026-07-10T2009Z-intel2 sourcesmulti-source

Siemens ProductCERT's SSA-229470 covers four flaws in the SICORE base system and CPCI85 central processing/communication firmware that underpin the SICAM A8000 (CP-8010/CP-8012 on SICORE; CP-8031/CP-8050 on CPCI85), SICAM EGS (CPCI85) and SICAM S8000 (SICORE) remote terminal units (Siemens ProductCERT, 2026-07-09). The advisory's stated aggregate impact is denial of service, but the individual issues span further: CVE-2026-54799 (CVSS v3.1 6.7, AV:L/PR:H) is a firmware-update signature-validation flaw that lets an attacker who already holds high privileges install malicious firmware for persistent code execution; CVE-2026-54801 (v3.1 7.2) lets an authenticated attacker bypass credential validation when the web API processes administrative-account modifications and gain elevated privileges; CVE-2026-54800 (v3.1 4.8) is an insecure default that disables all OPC UA security, letting a network attacker reach control functions; and CVE-2026-54798 (v3.1 6.5) is an HTTP-reachable debug interface an authenticated attacker can use to crash the web process. All are fixed in CPCI85 V26.20 / SICORE V26.20.0. CERT-FR/ANSSI republished the advisory the next day as CERTFR-2026-AVI-0860, giving European energy-sector operators a home-region authority citation (CERT-FR/ANSSI, 2026-07-10).

The affected application contains a vulnerability in its firmware update mechanism's signature validation process. This could allow an attacker to install malicious firmware, leading to persistent code execution and system compromise.

The affected application ships with a default configuration that disables all OPC UA security mechanisms. This could allow an attacker to gain unauthorized access and control over critical system functions.

Siemens ProductCERT (SSA-229470) 2026-07-09

Defender actions

  • Plan an out-of-band firmware update to CPCI85 ≥ V26.20 / SICORE ≥ V26.20.0 across SICAM A8000/EGS/S8000 estates; validate in a test environment and supervise the update per Siemens' documented procedure before rolling to production grid devices.
  • Audit SICAM 8 OPC UA configuration — the shipped default disables OPC UA security (CVE-2026-54800); enable it and confirm the OPC UA interface is not network-reachable from untrusted zones.
  • Restrict network access to SICAM device HTTP/web-API and OPC UA interfaces via segmentation, firewalls and VPN; treat the debug HTTP endpoint (CVE-2026-54798) as attack surface and confirm resilient redundant protection is in place per grid-design guidance.

ATT&CK mapping

4 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Persistence TA0003
T1098Account Manipulation

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

overlap matrix · ATT&CK page ↗

Privilege Escalation TA0004
T1098Account Manipulation

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

overlap matrix · ATT&CK page ↗

Defense Impairment TA0112
T1601Modify System Image

Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.

overlap matrix · ATT&CK page ↗

Lateral Movement TA0008
T1210Exploitation of Remote Services

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

overlap matrix · ATT&CK page ↗

Impact TA0040
T1499Endpoint Denial of Service

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.