Critical Siemens SICAM 8 Vulnerabilities: Patch Now to Prevent DoS
Security Operations teams must act immediately to address high-severity vulnerabilities affecting multiple Siemens SICAM 8 products.
Recent advisories from CISA (ICSA-26-092-01) and Siemens have highlighted multiple critical vulnerabilities in widely used power system devices. These flaws, specifically identified as CVE-2026-27663 and CVE-2026-27664, allow attackers to trigger a Denial of Service (DoS) condition, potentially disrupting critical infrastructure operations.
As defenders, our priority is to ensure availability. This breakdown provides the technical details you need to identify affected assets and the remediation steps required to secure your operational technology (OT) environment.
Technical Analysis
The vulnerabilities center on an "Allocation of Resources Without Limits" issue within the firmware of several SICAM 8 product lines. By sending specially crafted requests, an authenticated or unauthenticated attacker (depending on the specific vector) could exhaust system resources, causing the device to crash and stop responding.
Affected Products & Versions:
The following firmware versions running on specific hardware are vulnerable:
- SICAM A8000 Device firmware: CPCI85 for CP-8031/CP-8050; SICORE for CP-8010/CP-8012; RTUM85 for CP-8010/CP-8012.
- SICAM EGS Device firmware: CPCI85.
- SICAM S8000: SICORE; RTUM85.
Specific Affected Versions:
- CPCI85 Central Processing/Communication: Versions prior to 26.10 (CVE-2026-27663, CVE-2026-27664)
- RTUM85 RTU Base: Versions prior to 26.10 (CVE-2026-27663)
- SICORE Base system: Versions prior to 26.10.0 (CVE-2026-27664)
Severity: CVSS v3 7.5 (HIGH)
The Fix: Siemens has released updated firmware that resolves these allocation issues. Organizations must update to the latest versions provided by the vendor to mitigate the risk of service interruption.
Defensive Monitoring
Detecting exploitation attempts or verifying patch compliance in an OT environment requires a multi-layered approach. Below are detection rules and hunt queries for your security operations team.
SIGMA Rules
The following SIGMA rules are designed to detect potential network scanning activity targeting SICAM devices (a precursor to DoS exploitation) and unauthorized execution of management tools on Windows workstations.
---
title: Potential ICS Network Scanning Targeting Common SICAM Ports
id: a7b8c9d0-1e2f-3a4b-5c6d-7e8f9a0b1c2d
status: experimental
description: Detects potential network scanning or denial of service attempts targeting Siemens SICAM devices by monitoring high-frequency connection attempts to commonly used ICS ports.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-01
author: Security Arsenal
date: 2026/03/29
tags:
- attack.reconnaissance
- attack.t1046
- attack.impact
- attack.t1498
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort|startswith:
- 102
- 2404
- 502
- 8080
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate engineering workstation traffic
- Scheduled polling from SCADA headends
level: medium
---
title: Suspicious Execution of Siemens SICAM Management Tools
id: b8c9d0e1-2f3a-4b5c-6d7e-8f9a0b1c2d3e
status: experimental
description: Detects the execution of Siemens SICAM configuration or management binaries on endpoints that are not authorized engineering workstations.
references:
- https://cert-portal.siemens.com/productcert/
author: Security Arsenal
date: 2026/03/29
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '\SICAM'
- '\SICORE'
- '\RTUM'
filter:
ParentImage|contains:
- '\explorer.exe'
- '\cmd.exe'
- '\powershell.exe'
condition: selection and not filter
falsepositives:
- Authorized maintenance by engineers
- Automated deployment scripts
level: low
KQL Queries for Microsoft Sentinel/Defender
Use these queries to hunt for network anomalies or verify assets.
// Hunt for failed connection attempts to SICAM devices (Potential DoS)
let SICAMPorts = dynamic([102, 2404, 502, 8080]);
DeviceNetworkEvents
| where RemotePort in SICAMPorts
| where ActionType == "ConnectionFailed" or NetworkConnectionDirection == "Outbound"
| summarize count() by DeviceName, RemoteIP, RemotePort, bin(Timestamp, 5m)
| where count_ > 50
| project Timestamp, DeviceName, RemoteIP, RemotePort, count_
// Identify devices running Siemens SICAM software (Based on installed software inventory)
DeviceProcessEvents
| where FileName has "SICAM"
or ProcessVersionInfoInternalFileName has "SICAM"
| distinct DeviceName, FileName, ProcessVersionInfoProductVersion,FolderPath
| project DeviceName, SoftwareName=FileName, Version=ProcessVersionInfoProductVersion, Path=FolderPath
Velociraptor VQL Hunt Queries
These Velociraptor hunts help identify installations of the affected software on engineering workstations.
-- Hunt for Siemens SICAM related executables on Windows endpoints
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs='C:\Program Files\**\*SICAM*.exe')
-- Hunt for configuration files associated with CPCI85 or SICORE
SELECT FullPath, Size, Mtime
FROM glob(globs='C:\**\*.sic')
WHERE FullPath =~ '(?i)sicam'
Remediation Verification Script (PowerShell)
This script assists asset inventory by checking for the presence of SICAM software on a Windows management host.
<#
.SYNOPSIS
Checks for installed Siemens SICAM components.
.DESCRIPTION
Queries the registry and file system for known Siemens SICAM software paths to identify assets requiring patch review.
#>
$PathsToCheck = @(
"C:\Program Files\Siemens\",
"C:\Program Files (x86)\Siemens\",
"D:\Siemens\"
)
$FoundSoftware = @()
foreach ($Path in $PathsToCheck) {
if (Test-Path $Path) {
Write-Host "Checking path: $Path" -ForegroundColor Cyan
$Items = Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue -Filter "*SICAM*.exe"
foreach ($Item in $Items) {
$VersionInfo = $Item.VersionInfo
$Details = [PSCustomObject]@{
Name = $Item.Name
Path = $Item.FullName
Version = $VersionInfo.FileVersion
Modified = $Item.LastWriteTime
}
$FoundSoftware += $Details
}
}
}
if ($FoundSoftware.Count -gt 0) {
Write-Host "Potential SICAM components found:" -ForegroundColor Yellow
$FoundSoftware | Format-Table -AutoSize
} else {
Write-Host "No SICAM software found in standard paths." -ForegroundColor Green
}
Remediation
To mitigate these vulnerabilities, Security Arsenal recommends the following immediate actions:
- Patch Immediately: Apply the new firmware versions released by Siemens. Ensure all CPCI85, RTUM85, and SICORE base systems are updated to versions 26.10 or 26.10.0 (or later).
- Verify Update: Reboot devices where necessary to ensure the new firmware is active. Use the verification scripts provided above to ensure management stations are updated as well.
- Network Segmentation: Ensure SICAM devices are placed behind firewalls and strictly limit network access to authorized engineering workstations and SCADA servers. Minimizing the attack surface reduces the risk of external DoS attempts.
- Monitor for DoS: Implement the monitoring rules above to detect repeated connection failures or resource exhaustion attempts targeting these devices.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.