Siemens gWAP Exposed to Remote Code Execution via Axios Prototype Pollution

Siemens gPROMS Web Applications Publisher (gWAP), a key software component within the Critical Manufacturing sector, is affected by a significant Remote Code Execution (RCE) vulnerability. This flaw, tracked as CVE-2026-40175, stems from a third-party dependency, specifically the Axios HTTP client library. Attackers could leverage a “Gadget” attack chain to achieve prototype pollution, potentially escalating to arbitrary code execution or even full cloud compromise. Siemens has released an update addressing this issue, urging users to patch affected systems immediately, according to CISA ICSA-26-134-01.

Technical Deep Dive: Understanding CVE-2026-40175 RCE Exploit

At the core of this vulnerability is a prototype pollution flaw within the Axios library, versions prior to 1.15.0 and 0.3.1. Prototype pollution attacks manipulate the JavaScript prototype chain, allowing an attacker to inject arbitrary properties into JavaScript objects. When combined with a specific “Gadget” attack chain, as described in the advisory, this seemingly benign manipulation can be escalated to full RCE. The advisory also highlights the potential for “Full Cloud Compromise” through an AWS IMDSv2 bypass, indicating the severe ramifications for cloud-integrated deployments.

The CVE has been assigned a CVSS v3 base score of 8.0, categorizing it as high severity. The underlying weakness is also linked to CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’). While this CWE typically points to HTTP header injection issues, in this context, it likely plays a role in how the prototype pollution payload is delivered or processed to trigger the RCE through the “Gadget” chain. This highlights the complexity of multi-layered vulnerabilities where an issue in one component (Axios) can be amplified by interactions with others, leading to a critical outcome in the primary application (gWAP).

Affected Versions and Criticality

The vulnerability specifically impacts Siemens gWAP versions prior to 3.1.1. Given that Siemens gWAP is deployed worldwide, particularly within the Critical Manufacturing sector, the potential for disruption is substantial. Compromise of such systems could lead to operational downtime, data exfiltration, or manipulation of industrial processes, posing significant risks to infrastructure and safety.

Actionable Recommendations: Mitigation for Siemens gWAP Axios Prototype Pollution

For organizations utilizing Siemens gWAP, immediate action is paramount to mitigate the risk posed by CVE-2026-40175. Addressing this vulnerability requires a multi-faceted approach, starting with the vendor-provided fix.

Patching and Updates: How to update Siemens gWAP to version 3.1.1

The primary recommendation from Siemens is to update gWAP to version 3.1.1 or a later release. This update directly addresses the underlying vulnerability in the Axios HTTP client library. Organizations should plan for this upgrade promptly, following Siemens’ official support documentation available at https://support.sw.siemens.com/product/284395347/.

General ICS Security Posture Enhancements

Beyond patching, CISA and Siemens recommend a series of defensive measures to bolster the overall security posture of Industrial Control Systems (ICS) environments:

• Network Segmentation: Minimize network exposure for all control system devices and systems. They should not be directly accessible from the internet. Isolate ICS networks behind firewalls and segment them from business networks to limit lateral movement in the event of a breach.
• Secure Remote Access: When remote access is indispensable, utilize robust methods like Virtual Private Networks (VPNs), ensuring VPN solutions are kept up-to-date and configured securely. Recognize that a VPN is only as secure as the devices connected to it.
• Defense-in-Depth Strategies: Implement a layered cybersecurity approach, encompassing administrative, logical, and physical security controls. Consult resources like CISA’s “Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.”
• Monitoring and Detection: Implement continuous monitoring of ICS networks for anomalous behavior. Deploying Security Information and Event Management (SIEM) systems and Endpoint Detection and Response (EDR) solutions tailored for OT environments can help detect indicators of compromise (IoCs) related to attacks like prototype pollution or RCE attempts.
• Risk Assessment: Before deploying any defensive measures, conduct a thorough impact analysis and risk assessment specific to your operational environment.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for broader tracking and correlation against other incidents.