Siemens gWAP
Plan PatchCVSS 8ICS-CERT ICSA-26-134-01May 12, 2026
Siemens
Attack path
Attack VectorNetwork
Auth RequiredHigh
ComplexityHigh
User InteractionNone needed
Summary
Siemens gWAP versions before 3.1.1 are vulnerable to remote code execution through a prototype pollution attack in the bundled Axios HTTP client library. The vulnerability exploits a gadget chain in third-party dependencies to achieve code execution. This affects the gPROMS Web Applications Publisher product used for web-based industrial process management.
What this means
What could happen
An attacker with high-level credentials could execute arbitrary code on your gWAP server through a prototype pollution gadget chain in the Axios library, potentially allowing them to modify or disrupt web application functionality and data.
Who's at risk
Process engineering teams and system administrators who operate Siemens gPROMS Web Applications Publisher (gWAP) for managing industrial processes and applications in manufacturing facilities, chemical plants, and energy production environments.
How it could be exploited
An attacker with high-level user privileges could craft a malicious request that exploits prototype pollution in the Axios HTTP client library. This allows the attacker to inject malicious code through a gadget chain, achieving remote code execution on the gWAP server.
Prerequisites
- High-level user privileges (engineering or administrative credentials) required
- Network access to the gWAP web interface
- Knowledge of the gadget chain exploit for the specific version
remotely exploitablehigh complexity attack chainrequires high privilegesCVSS 8.0 (high severity)
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (1)
ProductAffected VersionsFix Status
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Siemens gWAP to version 3.1.1 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/61b7471c-68af-4432-bbdf-1a9655e82637Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.