CVE-2026-54800 in CPCI85 Central Processing-Communicationinfo

Summary

by MITRE • 07/09/2026

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.20), SICORE Base system (All versions < V26.20.0). The affected application ships with a default configuration that disables all OPC UA security mechanisms. This could allow an attacker to gain unauthorized access and control over critical system functions.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability resides within the CPCI85 Central Processing/Communication module and SICORE Base system software versions prior to V26.20, representing a critical security flaw that undermines fundamental industrial control system protections. The issue stems from the default configuration disabling all OPC UA security mechanisms, which creates an inherently insecure environment where attackers can bypass standard authentication and encryption protocols. This configuration effectively removes the cryptographic safeguards that are essential for protecting industrial communication channels in critical infrastructure environments.

The technical flaw manifests as a complete absence of OPC UA security features including authentication, authorization, encryption, and data integrity protection mechanisms. When these security components are disabled, the system becomes vulnerable to man-in-the-middle attacks, credential theft, and unauthorized command execution. The vulnerability directly maps to CWE-1032 which describes insufficient or missing security controls in industrial control systems, and represents a severe deviation from the security baseline requirements established by standards such as IEC 62443 and NIST SP 800-82. Attackers can exploit this weakness to inject malicious commands, manipulate system parameters, or gain complete administrative control over the affected industrial processes.

The operational impact of this vulnerability extends far beyond simple unauthorized access, potentially compromising the integrity and availability of critical infrastructure systems. Industrial control systems that rely on these components may face significant disruption as attackers could manipulate real-time process controls, alter production parameters, or cause system failures that result in safety hazards and financial losses. The vulnerability's presence in all versions prior to V26.20 indicates a systemic security weakness that affects multiple installations across various industrial sectors including manufacturing, energy, and water treatment facilities. This creates widespread exposure risk as organizations may unknowingly operate with inherently insecure configurations that violate the principle of least privilege and fail to meet the security requirements outlined in the ATT&CK framework for industrial control systems.

Organizations should immediately implement mitigation strategies including updating to version V26.20 or later, manually enabling all OPC UA security mechanisms, and conducting comprehensive security assessments of their industrial control environments. Network segmentation and monitoring solutions should be deployed to detect unauthorized access attempts, while regular security audits must verify that proper configuration standards are maintained. The vulnerability demonstrates the critical importance of secure default configurations in industrial environments, where a single misconfiguration can create persistent exposure windows that attackers can exploit for extended periods without detection.

Responsible

Siemens

Reservation

06/16/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!