Siemens Opcenter RDnL

MonitorCVSS 7.1ICS-CERT ICSA-26-134-09May 12, 2026

Siemens

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Opcenter RDnL contains a missing authentication vulnerability in the bundled Apache Artemis message broker. The Core protocol (default on port 61616) does not require authentication, allowing an attacker on the network to connect without credentials, inject messages into any queue, or force the broker to establish outbound connections to a rogue broker. Message integrity impact is limited because the system lacks auto-refresh of message content, but availability and message injection are serious concerns. Siemens recommends updating to the latest Apache Artemis version.

What this means

What could happen

An attacker on your network could connect to the message broker without authentication, inject messages into any queue, or disrupt message delivery by forcing rogue broker connections. This could corrupt or stop critical communications between plant systems.

Who's at risk

Water authorities and municipal utilities using Siemens Opcenter RDnL for supervisory messaging and process coordination should prioritize this. Any plant relying on message queues for SCADA communication, alarm routing, or inter-system integration is at risk.

How it could be exploited

An attacker with network access to port 61616 (Core protocol, enabled by default) sends a Core federation connection packet (type 0xf0) to the Opcenter RDnL broker without any authentication. The attacker then either injects malicious messages into queues that plant systems rely on, or forces the broker to connect to a rogue broker controlled by the attacker, disrupting message flow.

Prerequisites

Network access to port 61616 on the Opcenter RDnL broker
Broker configured with default settings (Core protocol enabled on artemis acceptor)
No SSL/TLS client certificate enforcement in place

remotely exploitableno authentication requiredaffects message integrity and availabilitydefault configuration vulnerable

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

Opcenter RDnLAll versionsFix available

Remediation & Mitigation

0/5

Do now

0/4

HARDENINGEnable two-way SSL (mutual TLS with client certificate authentication) on the Core protocol acceptor to require all clients to present a valid certificate before connecting

HARDENINGRestrict network access to port 61616 to only trusted hosts and internal networks using firewall rules

HARDENINGDisable Core protocol support on the artemis acceptor if it is not required, or restrict it to specific trusted sources only

WORKAROUNDDeploy a Core interceptor configured to deny all Core downstream federation connect packets (type -16 or 0xf0)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Apache Artemis to version 2.52.0 or later

CVEs (1)

CVE-2026-27446

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/81f5b694-0d95-43d7-96a2-e634b24e52c8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.