Siemens COMOS

Act NowCVSS 10ICS-CERT ICSA-26-043-03Dec 9, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

COMOS is affected by multiple vulnerabilities (CWE-200, CWE-79, CWE-20, CWE-340, CWE-295) that could allow remote code execution, denial of service, data infiltration, and access control violations. The vulnerabilities stem from improper input validation, insecure authentication mechanisms, and other control weaknesses. All versions V10.4 through V10.6 are affected. The vulnerabilities are remotely exploitable without requiring user interaction or authentication.

What this means

What could happen

An attacker could execute arbitrary code on COMOS systems to alter process configurations, disrupt operations, or steal sensitive engineering and operational data. This affects all plant design, engineering, and automation functions managed through COMOS.

Who's at risk

This affects all organizations running Siemens COMOS for plant engineering, automation design, and process management. COMOS is typically used by engineering teams to design and configure automated industrial processes. The vulnerability impacts the confidentiality and integrity of all plant designs, configurations, and operational data stored in COMOS.

How it could be exploited

An attacker with network access to a COMOS server (typically on the engineering network) can exploit multiple weaknesses including improper input validation and authentication issues to send crafted requests that execute arbitrary code with the privileges of the COMOS service. The CVSS vector shows this requires no user interaction or authentication, making it remotely exploitable from any network-connected system.

Prerequisites

Network access to the COMOS server (typically port 443 or application-specific ports)
No authentication required

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (39.5%)no patch available for V10.4.5affects engineering and control system design

Exploitability

Actively exploited — confirmed by CISA KEV

Public Proof-of-Concept (PoC) on GitHub (5 repositories)

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

COMOS V10.6< 10.6.110.6.1

COMOS V10.4< 10.4.510.4.5

COMOS V10.5< 10.5.210.5.2

COMOS V10.4.5< 10.4.5.0.2No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/6

COMOS V10.6

HOTFIXUpdate COMOS V10.6 systems to version 10.6.1 or later

COMOS V10.4

HOTFIXUpdate COMOS V10.4 systems to version 10.4.5 or later

WORKAROUNDFor COMOS V10.4.5 systems, restrict network access to the COMOS server to only authorized engineering workstations and control the source IP addresses at the firewall

COMOS V10.5

HOTFIXUpdate COMOS V10.5 systems to version 10.5.2 or later

All products

HARDENINGSegment the COMOS engineering network from general IT and external networks using firewalls and VLANs

HARDENINGMonitor COMOS server logs for unauthorized access attempts and unusual configuration changes

CVEs (6)

CVE-2024-11053 CVE-2024-47875 CVE-2025-2783 CVE-2025-10148 CVE-2025-40800 CVE-2025-40801

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ddd6f2e9-c926-4d8b-82b4-549f43cb24a7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.