Siemens Siemens ROS#

Plan PatchCVSS 9.1ICS-CERT ICSA-26-134-08May 12, 2026

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ROS# versions before 2.2.2 contain a path traversal vulnerability in the file_server service that allows an attacker to read and write arbitrary files on the host system with the privileges of the user running the service. The vulnerability can be exploited remotely without authentication by sending requests with path traversal sequences to access files outside the intended directory.

What this means

What could happen

An attacker with network access to the file_server service could read or write arbitrary files on the system where the service runs, potentially modifying robot configuration files or gaining access to sensitive data stored on the host.

Who's at risk

Manufacturing and automation facilities that use Siemens ROS# for robot control and programming, particularly those that rely on the file_server service for uploading URDF robot description files or other configuration files to robotic systems.

How it could be exploited

An attacker sends a crafted request to the ROS# file_server service with path traversal sequences (e.g., "../../../") to access files outside the intended directory. The service runs with the privileges of the user account that launched it, so the attacker gains access to any files that user can read or write. No authentication is required.

Prerequisites

Network connectivity to the file_server service port
Service must be running and accessible from attacker's network location

remotely exploitableno authentication requiredlow complexityhigh impact on confidentiality and integrity

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

ROS#< 2.2.22.2.2

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the file_server service to a trusted network only (e.g., dedicated robot control network)

HARDENINGRun file_server with the minimum required user privileges (not as root or a privileged account)

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ROS# to version 2.2.2 or later

WORKAROUNDDisable the file_server service when not actively transferring files; use manual file transfers instead of leaving it running continuously in the background

CVEs (1)

CVE-2026-41551

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/37cbbc89-f1bc-442d-b17f-f7988e1e9a4d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.