Siemens SICAM 8 CPCI85 and RTUM85 DoS Vulnerabilities: Patch Guide

Overview of Siemens SICAM 8 Security Disclosures

Siemens has released a security advisory concerning its SICAM 8 product portfolio, identifying vulnerabilities that could lead to significant denial-of-service (DoS) conditions. According to CISA Advisory ICSA-26-092-01, these flaws affect several critical components used in the Siemens SICAM A8000 and SICAM EGS series, which are deployed worldwide within the critical manufacturing sector.

The vulnerabilities, tracked as CVE-2026-27663 and CVE-2026-27664, vary in their technical execution but share the common goal of disrupting the availability of industrial control systems (ICS). Exploitation of these flaws could prevent parameterization of the devices, necessitating a manual reset or physical reboot to restore standard operations. Given the role of SICAM 8 products in power grid automation and automation tasks, the potential impact on grid reliability is high.

Technical Analysis: Denial-of-Service Vectors

The vulnerabilities identified involve different memory management and resource handling weaknesses within the firmware components CPCI85, RTUM85, and SICORE.

Mitigate CVE-2026-27664 XML Out-of-Bounds Write

The most severe of the two issues is CVE-2026-27664, which carries a CVSS base score of 7.5. This vulnerability is classified as an out-of-bounds write (CWE-787). The flaw resides in the way the affected firmware parses XML inputs. An unauthenticated remote attacker can exploit this by sending a specially crafted XML request to the device. Because the application does not properly validate the boundaries of the input during the parsing process, the data can overwrite adjacent memory locations. This typically leads to a service crash or an unstable system state, effectively achieving a denial-of-service condition without requiring legitimate credentials. Organizations should prioritize efforts to mitigate CVE-2026-27664 XML out-of-bounds write by restricting access to management interfaces that accept XML-based configurations.

Resource Exhaustion in Remote Operation Mode

The second vulnerability, CVE-2026-27663, involves the allocation of resources without limits or throttling (CWE-770) and has a CVSS score of 6.5. This issue specifically affects the remote operation mode of the devices. In this scenario, the system becomes susceptible to resource exhaustion when subjected to a high volume of requests. If an attacker floods the remote operation interface with multiple requests, the system may consume all available processing power or memory. To detect Siemens CPCI85 resource exhaustion, administrators should monitor for unusual spikes in network traffic directed at control ports and observe if the device becomes unresponsive to parameterization attempts. Recovery from this state generally requires a hard reset of the hardware.

Impact on Critical Infrastructure

Siemens SICAM 8 products are frequently integrated into high-availability environments, such as Transmission System Operators (TSOs) and Distribution System Operators (DSOs). These entities are often required by law to maintain resilient power grids through redundant protection schemes. The MITRE ATT&CK framework highlights that disrupting such systems can have cascading effects on industrial processes. While no active exploitation by a specific APT has been confirmed in the source material, the public disclosure of these vulnerabilities increases the risk of opportunistic attacks.

Remediation and Siemens SICAM 8 RTUM85 Patch Guidance

Siemens has addressed these security concerns by releasing firmware version 26.10. Detailed Siemens SICAM 8 RTUM85 patch guidance indicates that the update is bundled within various package releases. Specifically, firmware RTUM85 V26.10 is included in the CP-8010/CP-8012 Package V26.10 and the SICAM S8000 Package V26.10. Similarly, CPCI85 V26.10 is available within the CP-8031/CP-8050 and SICAM EGS packages.

Defenders should utilize their SOC to verify current firmware versions and schedule maintenance windows for updates. Furthermore, integrating logging from these devices into a SIEM can help identify the initial stages of a resource exhaustion attempt. Beyond patching, Siemens and CISA recommend the following defense-in-depth measures:

• Isolate Control Networks: Ensure that ICS devices are not accessible directly from the internet and are located behind firewalls.
• Segment Business Traffic: Maintain strict separation between business IT networks and industrial OT networks to prevent lateral movement.
• Secure Remote Access: Use encrypted Virtual Private Networks (VPNs) for any necessary remote connectivity and ensure those VPN gateways are also fully patched.