Two CVEs in Siemens SICAM 8 firmware expose three product families to unauthenticated denial of service
CVE-2026-27663 and CVE-2026-27664 affect shared firmware components across Siemens SICAM A8000, EGS and S8000 product lines, enabling unauthenticated denial of service in power grid infrastructure.
CVE-2026-27663 and CVE-2026-27664 affect firmware components shared across Siemens' SICAM A8000, SICAM EGS and SICAM S8000 product lines. Both enable unauthenticated denial of service. The more severe of the two, CVE-2026-27664, is exploitable over the network by sending a crafted XML request and carries a CVSS v4.0 base score of 8.7. Siemens published advisory SSA-246443 on 26 March 2026 with patches for all affected products.
These are not obscure industrial widgets. SICAM A8000 remote terminal units handle telecontrol and automation in energy supply networks. SICAM EGS devices serve as gateways in power distribution substations. SICAM S8000 provides RTU and PLC functions as software on third-party hardware. A denial of service condition against any of them means lost telemetry and lost control at precisely the moment an operator might need both.
What the vulnerabilities do
The two CVEs target different firmware components but produce the same outcome: the device stops working and must be manually reset.
CVE-2026-27664 is an out-of-bounds write (CWE-787) in the XML parsing logic of the CPCI85 and SICORE firmware modules. An unauthenticated attacker can send a specially crafted XML request over the network to trigger the write. The service crashes. No authentication is required. No user interaction is needed. The attack vector is network-based, which is reflected in its CVSS v3.1 base score of 7.5 and its CVSS v4.0 base score of 8.7.
CVE-2026-27663 is a resource exhaustion flaw (CWE-770) in the remote operation mode of the CPCI85 and RTUM85 firmware modules. Flooding the device with a high volume of requests exhausts its resources, preventing parameterisation and requiring a reset or reboot. The attack vector is adjacent network rather than full network, which lowers the CVSS v3.1 base score to 6.5 and the CVSS v4.0 base score to 7.1. In practice, the distinction depends entirely on network architecture: if the OT network is flat or poorly segmented, "adjacent" is a generous assumption.
The shared firmware problem
The interesting part of this advisory is not the individual vulnerabilities. It is the blast radius created by shared components.
Siemens' SICAM 8 platform uses a modular firmware architecture. Three core modules, CPCI85 (central processing and communication), SICORE (base system) and RTUM85 (RTU base), are reused across product families:
| Firmware module | Affected products | CVEs |
|---|---|---|
| CPCI85 (all versions < V26.10) | SICAM A8000 CP-8031/CP-8050, SICAM EGS | CVE-2026-27663, CVE-2026-27664 |
| SICORE (all versions < V26.10.0) | SICAM S8000, SICAM A8000 CP-8010/CP-8012 | CVE-2026-27664 |
| RTUM85 (all versions < V26.10) | SICAM A8000 CP-8010/CP-8012, SICAM S8000 | CVE-2026-27663 |
A single vulnerability in CPCI85's XML parser propagates to every product family that ships that module. This is efficient from an engineering perspective: one codebase, one patch cycle. It is less efficient from a risk perspective, because a single bug in a shared library becomes a fleet-wide exposure.
This pattern is not unique to Siemens. Shared firmware and SDK components are a structural feature of ICS product development. The SICAM SIAPP SDK vulnerabilities disclosed earlier in March followed a similar pattern, where flaws in the development framework rippled downstream into every application built on it. The difference here is that the shared components are not development tools. They are the devices themselves.
Exploitation context
Neither CVE has a known public exploit at the time of writing. Both are rated as having low attack complexity. CVE-2026-27664 requires nothing beyond network access and a malformed XML payload: no credentials, no social engineering, no chain of prior compromises. Resource exhaustion attacks like CVE-2026-27663 are similarly straightforward once an attacker has adjacent network positioning.
The practical question is access. These devices sit in OT networks that should be segmented from corporate IT and the internet. The word "should" is doing considerable work in that sentence. Dragos and CISA have repeatedly documented cases where OT network segmentation exists on architecture diagrams but not in production. Flat networks, dual-homed engineering workstations and exposed management interfaces are not theoretical risks in the energy sector. They are audit findings.
An attacker who achieves network adjacency, whether through a compromised engineering workstation, a VPN misconfiguration or a supply chain implant, can trigger either vulnerability without further escalation. The denial of service is not a stepping stone to code execution (at least not based on what is disclosed). But in a power distribution context, loss of visibility into substation state is itself a high-impact outcome. Operators making switching decisions without current telemetry is how cascading failures start.
The acknowledgements tell a story
Siemens credited T. Weber, S. Dietz, D. Blagojevic and F. Koroknai from CyberDanube for the coordinated disclosure of CVE-2026-27663. CVE-2026-27664 was credited to S. Dietz from CyberDanube in cooperation with VERBUND Digital Power.
VERBUND is Austria's largest electricity provider. Their involvement in the disclosure of a vulnerability affecting power grid infrastructure suggests this was not an abstract research exercise. When the entity reporting the bug is also the entity operating the equipment, the finding tends to carry operational weight.
Patching and mitigation
Siemens released firmware version V26.10 to address both CVEs across all affected modules. The update packages are distributed per product family:
- CP-8031/CP-8050 Package V26.10 covers CPCI85 for SICAM A8000 and SICAM EGS deployments.
- CP-8010/CP-8012 Package V26.10 covers RTUM85 and SICORE.
- SICAM S8000 Package V26.10 covers RTUM85 and SICORE for software-based deployments.
All packages are available through Siemens' industry support portal, as documented in SSA-246443.
For environments where immediate patching is not feasible, Siemens recommends network segmentation, firewall rules restricting access to affected devices and VPN for remote access. These are standard ICS hardening measures, and their effectiveness depends entirely on whether they were already in place before the advisory was published.
What this means for defenders
If you operate SICAM 8 infrastructure, the action is straightforward: inventory your CPCI85, SICORE and RTUM85 firmware versions, validate them against V26.10 and schedule updates. Prioritise CVE-2026-27664 given its network-reachable attack vector.
Beyond the immediate patch cycle, the broader lesson is about visibility into shared components. Asset inventories that track devices by product name (SICAM A8000, SICAM EGS) may not capture the firmware module versions running underneath. When a single advisory affects three product families through shared firmware, defenders need component-level visibility to assess exposure accurately.
The energy sector has spent years building redundancy into grid operations precisely because individual components fail. Siemens themselves note in the advisory that operators of critical power systems "are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes." That redundancy is real, and it matters. But redundancy designed to handle equipment failure and redundancy designed to handle coordinated denial of service across a fleet of devices sharing the same vulnerable firmware are not the same engineering problem.
Newsletter
One email a week. Security research, engineering deep-dives and AI security insights - written for practitioners. No noise.