OTPulse

Siemens SENTRON 7KT PAC1261 Data Manager

Plan PatchCVSS 9.1ICS-CERT ICSA-26-134-14May 12, 2026
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The web server in SENTRON 7KT PAC1261 Data Manager Before V2.1.0 contains an HTTP request smuggling vulnerability in the Go Project's net/http package. This vulnerability could allow an attacker to retrieve authorization tokens and gain administrative control over the device.

What this means
What could happen
An attacker could steal administrative authentication tokens from the device and gain full control to modify power monitoring settings, disable alerts, or cause the device to stop functioning. This directly affects the ability to monitor and manage electrical power distribution.
Who's at risk
Organizations operating SENTRON 7KT PAC1261 Data Manager devices for electrical power distribution and power quality monitoring should prioritize this update. This includes municipal utilities, industrial plants, and facilities with electrical power management systems that rely on this Siemens monitoring device.
How it could be exploited
An attacker on the network sends a specially crafted HTTP request to the web server that exploits the request smuggling flaw in the Go net/http package. The server parses this malformed request inconsistently, allowing the attacker to extract authorization tokens from subsequent legitimate requests. These tokens can then be replayed to authenticate as an administrator.
Prerequisites
  • Network access to the web server on the SENTRON 7KT PAC1261
  • Device running firmware before version 2.1.0
remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.1)affects power monitoring and control capability
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (1)
ProductAffected VersionsFix Status
SENTRON 7KT PAC1261 Data Manager< 2.1.02.1.0
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGUse encrypted HTTPS for all communication with the SENTRON 7KT PAC1261 web interface
HARDENINGRestrict network access to the web server port to only authorized management workstations and networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SENTRON 7KT PAC1261 Data Manager to version 2.1.0 or later
View full CISA ICS-CERT advisory
API: /api/v1/advisories/cc83e4e4-518e-4bb2-b688-4fce043cb73c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens SENTRON 7KT PAC1261 Data Manager | CVSS 9.1 - OTPulse