OTPulse
FeedAboutContact

Siemens COMOS

Plan Patch8.2ICS-CERT ICSA-25-226-02Aug 12, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

COMOS before V10.6 contains a local arbitrary code execution vulnerability in the integrated Open Design Alliance Drawings SDK. The vulnerability is triggered by processing malicious files imported into the product.

What this means
What could happen
An attacker with local access could execute arbitrary code on the engineering workstation running COMOS, potentially compromising plant configuration data and process design information used to control industrial equipment.
Who's at risk
This affects engineering and design teams at water utilities, electric utilities, and other asset-intensive industries that use Siemens COMOS for process design, plant configuration, and engineering documentation. COMOS users managing PLC configurations, process flows, and safety systems are at risk if they import files from untrusted sources.
How it could be exploited
An attacker must trick a COMOS user into importing a malicious file (e.g., a drawing or design document) from an untrusted source. When the user opens the file in COMOS, the vulnerability in the Drawings SDK allows the attacker's code to execute with the privileges of the COMOS application.
Prerequisites
  • Local access to the workstation running COMOS
  • User interaction required (user must import/open a malicious file)
  • Malicious file must be delivered to the user (via email, USB, shared folder, etc.)
Low complexity attackUser interaction required (reduces but does not eliminate risk)Affects engineering workstations with access to critical plant designsNo patch available for versions before 10.6
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
COMOS< 10.610.6
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDEnsure all files imported into COMOS originate from trusted sources and are transmitted over secure channels (e.g., encrypted email, authenticated file servers)
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate COMOS to version 10.6 or later
HARDENINGRestrict user access to file import functionality to only authorized personnel and provide security awareness training on malicious file risks
Long-term hardening
0/1
HARDENINGSegment engineering workstations running COMOS from business networks behind firewalls
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/d44ffed3-e7f3-48da-ad76-c4b9357e8415