Siemens OZW Web Servers

Plan PatchCVSS 10ICS-CERT ICSA-25-135-10May 13, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OZW672 and OZW772 Web Servers contain command injection (CWE-78) and SQL injection (CWE-89) vulnerabilities. Versions before V8.0 allow unauthenticated remote arbitrary code execution with root privileges. Versions before V6.0 allow unauthenticated authentication bypass granting Administrator access. Siemens has released patched firmware versions 8.0 and 6.0 for both products. Network exposure should be minimized by restricting access to these devices behind firewalls and using VPN for any remote management access.

What this means

What could happen

An attacker could execute arbitrary code on the OZW672 or OZW772 web server with root privileges, potentially allowing them to stop or alter water/power operations, or authenticate as an Administrator to modify system configuration without full code execution.

Who's at risk

Water authorities and electric utilities that operate Siemens OZW672 or OZW772 web server appliances for remote device management or SCADA data integration. These devices typically sit between field equipment and control networks, making them high-value targets for attackers seeking to disrupt service delivery.

How it could be exploited

An attacker on the network sends a specially crafted request to the web server (port 443 or 80). Due to command injection or SQL injection vulnerabilities, the request executes arbitrary commands with root privileges (pre-V8.0) or logs in as Administrator (pre-V6.0) without valid credentials. No user interaction is required.

Prerequisites

Network access to OZW672 or OZW772 web server (HTTP/HTTPS ports)
Device running vulnerable firmware version (V8.0 or earlier for code execution, V6.0 or earlier for authentication bypass)

remotely exploitableno authentication requiredlow complexityaffects process operationsaffects critical infrastructure

Exploitability

Some exploitation risk — EPSS score 1.1%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

OZW672< V8.08.0

OZW672< V6.06.0

OZW772< V8.08.0

OZW772< V6.06.0

Remediation & Mitigation

0/4

Do now

0/1

OZW672

WORKAROUNDRestrict network access to OZW672/OZW772 management interfaces by implementing firewall rules to allow only authorized engineering workstations and control systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

OZW672

HOTFIXUpdate OZW672 and OZW772 devices to firmware version 8.0 or later to patch arbitrary code execution vulnerability (CVE-2025-26389)

HOTFIXUpdate OZW672 and OZW772 devices to firmware version 6.0 or later to patch authentication bypass vulnerability (CVE-2025-26390)

Long-term hardening

0/1

OZW672

HARDENINGImplement network segmentation to isolate OZW672/OZW772 devices from business networks and untrusted network segments

CVEs (2)

CVE-2025-26389 CVE-2025-26390

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/00a7b0cb-931e-4c3e-96c0-14740e4d8393

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.