# Siemens Patches Critical Denial-of-Service Vulnerabilities in SICAM 8 Power Grid Controllers


Siemens has released firmware updates addressing two denial-of-service vulnerabilities affecting its SICAM 8 product line, a widely deployed supervisory control and data acquisition (SCADA) platform used by power generation and transmission operators worldwide. The vulnerabilities allow unauthenticated attackers to crash critical grid infrastructure components through network-based attacks, posing significant risks to power system stability and availability.


## The Threat


The vulnerabilities reside in multiple firmware components of Siemens' SICAM 8 automation and protection platform, which manages communication, processing, and control functions in electrical transmission and distribution networks across the globe. Two distinct attack vectors—resource exhaustion and malformed XML parsing—can both result in service denial, forcing system restarts and potentially causing operational disruptions.


The first vulnerability (CVE-2026-27663) exploits a resource exhaustion condition in the remote operation mode. An attacker can send a high volume of requests to exhaust available memory and processing resources, blocking legitimate parameterization and configuration changes. Recovery typically requires a manual reset or system reboot. This attack is particularly dangerous because SICAM 8 systems often operate in continuous grid management mode; unexpected reboots introduce operational hazards and reduce visibility during critical events.


The second vulnerability (CVE-2026-27664) is a more severe out-of-bounds write flaw triggered by specially crafted XML inputs. An unauthenticated attacker on the network can send malicious XML payloads to crash the application, also resulting in denial of service. Because the affected firmware processes incoming XML without proper bounds checking, the attacker requires no authentication or special privileges—making exploitation trivial.


Both vulnerabilities affect the central processing, communication, and RTU (Remote Terminal Unit) base firmware across SICAM's modular architecture. In power grid deployments, these components typically operate on the operational technology (OT) network managing critical generation and transmission infrastructure. Successful exploitation could degrade grid observability, delay response to system faults, or create windows for cascading failures.


## Severity and Impact


| CVE ID | CVSS Score | Severity | Vector String | Attack Vector | Authentication | CWE |

|---|---|---|---|---|---|---|

| CVE-2026-27663 | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | Adjacent Network | None | CWE-770 (Resource Exhaustion) |

| CVE-2026-27664 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | Network | None | CWE-787 (Out-of-bounds Write) |


CVE-2026-27664 carries higher severity due to its network-accessible attack vector and lack of complexity. An attacker on the internet can craft XML payloads and send them to affected systems, whereas CVE-2026-27663 requires network adjacency. Both vulnerabilities result in availability loss only (no confidentiality or integrity impact), but availability is paramount in critical infrastructure.


Power system operators are typically required by regulation (NERC CIP, EU Directive 2016/1148, and equivalent regional standards) to maintain system availability and rapidly address known vulnerabilities affecting SCADA platforms. Unpatched systems may violate compliance obligations and increase operational risk.


## Affected Products


The vulnerabilities affect the following SICAM 8 product lines and firmware components:


SICAM A8000 Series (Protection relay controllers)

  • CPCI85 Central Processing/Communication – versions prior to V26.10
  • RTUM85 RTU Base – versions prior to V26.10

    • SICAM EGS (Electrical Substation Gateway System)

  • CPCI85 Central Processing/Communication – versions prior to V26.10
  • SICORE Base system – versions prior to V26.10.0
  • RTUM85 RTU Base – versions prior to V26.10

    • SICAM S8000 (Modular automation platform)

  • CPCI85 Central Processing/Communication – versions prior to V26.10
  • SICORE Base system – versions prior to V26.10.0
  • RTUM85 RTU Base – versions prior to V26.10

    • Operators should verify their deployed SICAM 8 firmware versions against these component baselines. The affected versions shipped in multiple product packages; see Siemens support links below for version verification tools.


    ## Mitigations


    Immediate Action: Firmware Update


    Siemens has released firmware version 26.10 for all affected components. Organizations should prioritize updating to this version or later. Updates are available through Siemens' support portal for the following packages:


  • CP-8031/CP-8050 Package V26.10 – updates CPCI85 firmware
  • CP-8010/CP-8012 Package V26.10 – updates RTUM85 and SICORE firmware
  • SICAM EGS Package V26.10 – updates CPCI85 firmware
  • SICAM S8000 Package V26.10 – updates RTUM85 and SICORE firmware

    • Siemens recommends planning updates during scheduled maintenance windows to minimize operational impact. Most SICAM 8 systems can be updated without complete system shutdown, but operators should follow their change management procedures and notify reliability coordinators in advance.


    Network Segmentation (Interim Mitigation)


    For operators unable to patch immediately, Siemens recommends strict network access controls:

  • Restrict SICAM 8 management interfaces to authorized engineering workstations and control center networks
  • Disable remote XML processing if not required for operational workflows
  • Implement firewall rules to prevent external network access to SICAM management ports
  • Monitor network logs for suspicious XML requests or high-frequency connections

    • Monitoring and Incident Response


    Operators should:

  • Enable detailed logging on SICAM 8 systems to detect exploit attempts (resource spikes, XML parsing errors)
  • Alert on unexpected system reboots or service restarts
  • Maintain inventory of SICAM 8 systems and their firmware versions for rapid verification
  • Test incident response procedures for SCADA system outages before patches are deployed

    • ## References


    Vendor Advisory & Patches:

  • [Siemens ProductCERT Advisory (CSAF)](https://support.industry.siemens.com/)
  • [CPCI85 Firmware Updates](https://support.industry.siemens.com/cs/ww/en/view/109804985/)
  • [RTUM85 & SICORE Firmware Updates](https://support.industry.siemens.com/cs/ww/en/view/109972894/)
  • [SICAM S8000 Package Update](https://support.industry.siemens.com/cs/document/109818240)

    • CVE Details:

  • [CVE-2026-27663: Resource Exhaustion](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27663)
  • [CVE-2026-27664: Out-of-bounds Write](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27664)

    • Coordinated Disclosure:

    CyberDanube and VERBUND Digital Power coordinated responsible disclosure of both vulnerabilities. Siemens ProductCERT reported findings to CISA.


    ---


    Key Takeaway: Power system operators must treat these SICAM 8 vulnerabilities as high-priority patches. Both affect critical infrastructure components with minimal exploit complexity. Update firmware to V26.10 or later within your next planned maintenance window, and implement network controls in the interim.