Siemens OZW Web Servers

Act Now10ICS-CERT ICSA-25-135-10May 13, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens OZW672 and OZW772 Web Server versions contain two critical vulnerabilities (CVE-2025-26389 and CVE-2025-26390) in authentication and input validation mechanisms. CVE-2025-26389 allows unauthenticated remote code execution with root privileges on devices running firmware before V8.0. CVE-2025-26390 allows unauthenticated authentication bypass to Administrator privileges on devices running firmware before V6.0. Both vulnerabilities result from insufficient input validation (CWE-78: OS Command Injection; CWE-89: SQL Injection) in the web server request handling. Siemens has released firmware updates V8.0 and V6.0 addressing both issues and recommends immediate patching. General mitigations include network segmentation, firewall rules restricting access to authorized hosts only, and use of VPNs for any required remote access.

What this means

What could happen

An attacker with network access to an OZW web server could execute arbitrary code with root privileges (V8.0 and earlier) or authenticate as an Administrator user (V6.0 and earlier), potentially allowing them to modify control logic, change process parameters, or disrupt operations of connected industrial equipment.

Who's at risk

Organizations operating Siemens OZW672 and OZW772 web servers in water treatment, electric utility SCADA systems, building automation, or any critical infrastructure environment should prioritize this update. These devices are commonly deployed in industrial control systems where they manage automation logic and process monitoring.

How it could be exploited

An attacker on the network sends a malicious request to the OZW web server (CVE-2025-26389 or CVE-2025-26390). The server processes the request without proper input validation or authentication enforcement, allowing command injection (CWE-78) or SQL injection (CWE-89). The attacker gains code execution as root or Administrator privileges on the device, from which they can execute arbitrary commands to manipulate or disrupt industrial processes.

Prerequisites

Network access to the OZW web server port (typically HTTP/HTTPS)
The device is running a vulnerable version (V8.0 or earlier for CVE-2025-26389; V6.0 or earlier for CVE-2025-26390)
No authentication is required to trigger the vulnerability

Remotely exploitableNo authentication requiredLow complexity attackCVSS 10 (critical)Affects root/Administrator privilegesDefault network exposure in industrial environments

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

OZW672< V8.08.0

OZW672< V6.06.0

OZW772< V8.08.0

OZW772< V6.06.0

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDRestrict network access to OZW web servers using firewall rules, allowing only authorized engineering workstations or administrative hosts

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

OZW672

HOTFIXUpdate OZW672 to version 8.0 or later (for CVE-2025-26389)

HOTFIXUpdate OZW672 to version 6.0 or later (for CVE-2025-26390)

OZW772

HOTFIXUpdate OZW772 to version 8.0 or later (for CVE-2025-26389)

HOTFIXUpdate OZW772 to version 6.0 or later (for CVE-2025-26390)

Long-term hardening

0/2

HARDENINGPlace OZW web servers on isolated industrial network segments, not directly accessible from the business network or internet

HARDENINGIf remote access is required, use a VPN or other secure remote access method with multi-factor authentication

CVEs (2)

CVE-2025-26389 CVE-2025-26390

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/00a7b0cb-931e-4c3e-96c0-14740e4d8393