{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25570", "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "state": "PUBLISHED", "assignerShortName": "siemens", "dateReserved": "2026-02-02T23:19:09.478Z", "datePublished": "2026-03-10T16:07:53.964Z", "dateUpdated": "2026-03-10T16:41:09.610Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens", "dateUpdated": "2026-03-10T16:07:53.964Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7). The SICAM SIAPP SDK does not perform checks on input values potentially resulting in stack overflow. This could allow an attacker to perform code execution and denial of service."}], "affected": [{"vendor": "Siemens", "product": "SICAM SIAPP SDK", "versions": [{"status": "affected", "version": "0", "lessThan": "V2.1.7", "versionType": "custom"}], "defaultStatus": "unknown"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.4, "baseSeverity": "HIGH"}}, {"cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-903736.html"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25570", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T16:34:58.646415Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:41:09.610Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25570", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T16:34:58.646415Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:38:03.856Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"cvssV4_0": {"version": "4.0", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "affected": [{"vendor": "Siemens", "product": "SICAM SIAPP SDK", "versions": [{"status": "affected", "version": "0", "lessThan": "V2.1.7", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-903736.html"}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7). The SICAM SIAPP SDK does not perform checks on input values potentially resulting in stack overflow. This could allow an attacker to perform code execution and denial of service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens", "dateUpdated": "2026-03-10T16:07:53.964Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25570", "state": "PUBLISHED", "dateUpdated": "2026-03-10T16:41:09.610Z", "dateReserved": "2026-02-02T23:19:09.478Z", "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "datePublished": "2026-03-10T16:07:53.964Z", "assignerShortName": "siemens"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sicam_siapp_sdk:*:*:*:*:*:*:*:*", "matchCriteriaId": "1C92AE80-D07C-484A-9F56-5A0B25F8D249", "versionEndExcluding": "2.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SICAM SIAPP SDK (All versions < V2.1.7). The SICAM SIAPP SDK does not perform checks on input values potentially resulting in stack overflow. This could allow an attacker to perform code execution and denial of service."}, {"lang": "es", "value": "Una vulnerabilidad ha sido identificada en SICAM SIAPP SDK (Todas las versiones &lt; V2.1.7). El SICAM SIAPP SDK no realiza comprobaciones en los valores de entrada, lo que podr\u00eda resultar en desbordamiento de pila. Esto podr\u00eda permitir a un atacante realizar ejecuci\u00f3n de c\u00f3digo y denegaci\u00f3n de servicio."}], "id": "CVE-2026-25570", "lastModified": "2026-03-13T15:36:17.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 5.9, "source": "productcert@siemens.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "productcert@siemens.com", "type": "Secondary"}]}, "published": "2026-03-10T18:18:36.830", "references": [{"source": "productcert@siemens.com", "tags": ["Vendor Advisory"], "url": "https://cert-portal.siemens.com/productcert/html/ssa-903736.html"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "productcert@siemens.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,V2.1.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "sicam_siapp_sdk", "vendor": "siemens"}], "analysis": {"en": {"generated_at": "2026-04-16T09:49:23.979842+00:00", "value": {"mitigation_remediation": ["Upgrade the Siemens SICAM SIAPP SDK to version 2.1.7 or later.", "If an upgrade is not immediately possible, add application\u2011level input validation to restrict the size of data before it reaches the SDK.", "Monitor the system for anomalous stack usage or unexpected crashes, and investigate any suspicious activity promptly."], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Siemens SICAM SIAPP SDK is affected. All releases prior to version 2.1.7 are vulnerable. Users of earlier builds should investigate whether the SDK is deployed in their systems and plan an upgrade.", "description_and_impact": "A stack overflow flaw exists in the SICAM SIAPP SDK because the component does not validate input sizes. When an attacker sends oversized or malformed data, the overflow can overwrite control data on the stack, allowing arbitrary code execution and potentially causing a denial of service. This weakness is a buffer overflow vulnerability (CWE\u2011121).", "risk_and_exploitability": "The CVSS score of 7.5 indicates moderate to high severity. The EPSS score is below 1%, suggesting exploitation is unlikely but not impossible. The vulnerability is not listed in CISA\u2019s KEV catalog, so no active exploitation information is known. Attackers would need to send crafted input to the SDK; no publicly known exploit code exists yet, so local or remote exploitation would likely require access to the SDK\u2019s input channel. The overall risk is moderate, but the potential for arbitrary code execution necessitates prompt remediation."}}}}, "created": "2026-03-11T11:49:57.396739+00:00", "updated": "2026-04-16T10:00:14.064910+00:00", "vendors": ["siemens", "siemens$PRODUCT$sicam_siapp_sdk"]}