Siemens RUGGEDCOM APE1808 Devices

Act NowCVSS 10ICS-CERT ICSA-26-139-02May 12, 2026

SiemensPalo Alto Networks

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A buffer overflow vulnerability exists in the User-ID Authentication Portal (Captive Portal) service of Palo Alto Networks PAN-OS software. An unauthenticated attacker can send specially crafted packets to trigger the overflow and execute arbitrary code with root privileges on PA-Series and VM-Series firewalls, as well as Siemens RUGGEDCOM APE1808 devices that run this software. The vulnerability allows a remote attacker to gain complete control of the affected firewall without requiring valid credentials.

What this means

What could happen

An unauthenticated attacker on the network can send malformed packets to trigger a buffer overflow in the Palo Alto Networks firewall software, gaining root-level control and potentially intercepting, blocking, or modifying traffic passing through your network.

Who's at risk

This vulnerability affects organizations using Siemens RUGGEDCOM APE1808 devices (industrial-grade firewalls/network appliances) in water utilities, power systems, and other critical infrastructure that rely on these devices for network security and traffic management.

How it could be exploited

An attacker sends specially crafted network packets to the User-ID Authentication Portal (Captive Portal) service running on the firewall. The malformed packet overflows a memory buffer, allowing the attacker to inject and execute arbitrary code with root privileges on the device.

Prerequisites

Network access to the User-ID Authentication Portal service on the affected firewall
No authentication required
Firewall must have Response Pages or User-ID Authentication Portal enabled

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (14.4%)affects critical network infrastructureroot-level code executionunauthenticated remote attack

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

RUGGEDCOM APE1808All versionsFix available

Remediation & Mitigation

0/4

Do now

0/4

WORKAROUNDDisable Response Pages in the Interface Management Profile on all Layer 3 interfaces in zones where untrusted/internet traffic enters (WAN, DMZ). Keep Response Pages enabled only on trusted internal zone interfaces.

WORKAROUNDDisable User-ID Authentication Portal service if it is not actively used by your organization.

HARDENINGRestrict network access to the User-ID Authentication Portal to trusted internal IP address ranges only using firewall rules or access control lists.

HOTFIXContact Palo Alto Networks and Siemens support to obtain and deploy the patched firmware version for RUGGEDCOM APE1808 devices as soon as it becomes available.

CVEs (1)

CVE-2026-0300

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/86c812f5-963c-44e3-867e-334c93428ce2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.