Critical Siemens SICAM SIAPP SDK Vulnerabilities: Detection and Patching Guide

Security teams managing Operational Technology (OT) and Industrial Control Systems (ICS) need to be aware of a recent advisory regarding Siemens SICAM SIAPP SDK. As we rely more heavily on software development kits (SDKs) to extend the capabilities of power grid infrastructure, vulnerabilities in these building blocks pose a significant risk to operational continuity.

This post details the security issues identified in the Siemens SICAM SIAPP SDK, provides defensive detection strategies, and outlines immediate remediation steps to protect your organization's industrial environment.

Technical Analysis

Siemens has released an advisory (ICSA-26-076-04) identifying multiple critical vulnerabilities in the SICAM SIAPP SDK (Software Integration Application Development Kit). This SDK is used by developers to create custom applications (SIAPPs) for SICAM devices, which are commonly used in power system automation and substation control.

Affected Products:

• SICAM SIAPP SDK versions prior to 2.1.7 (specifically versions < 2.1.7).

Vulnerability Details: The SDK contains the following vulnerability types:

• Out-of-bounds Write (CWE-787): Allows writing data past the end of an intended buffer.
• Stack-based Buffer Overflow (CWE-121): Occurs when a program writes more data to a buffer located on the stack than what is actually allocated.
• Improper Handling of Length Parameter Inconsistency (CWE-130): Involves incorrect validation of data length parameters.

Severity: These vulnerabilities have been assigned a CVSS v3 score of 7.4 (High).

Impact: Successful exploitation of these vulnerabilities could allow an attacker to disrupt customer-developed SIAPPs or their simulation environments. Consequences include:

• Denial of Service (DoS) within the SIAPP.
• Corruption of SIAPP data.
• Security issues within the simulation environment.

Notably, these vulnerabilities are only exploitable if the API is used improperly or if hardening measures are not applied. However, in complex industrial environments, ensuring strict API compliance across all custom applications is challenging, making the patch critical.

Defensive Monitoring

Detecting exploitation of SDK-level vulnerabilities requires a focus on the operational behavior of the applications built with the SDK. Buffer overflows and memory corruption issues often result in application crashes or the generation of error reports.

SIGMA Rules

The following SIGMA rules focus on detecting the aftermath of potential exploits, such as application crashes handled by Windows Error Reporting, which may indicate an attempted buffer overflow or memory corruption event targeting a SIAPP process.

---
title: Windows Error Reporting Launch - Potential Crash Indicator
id: 8d4f2a1b-1c3e-4b5a-9f6d-7e8c9a0b1c2d
status: experimental
description: Detects the launch of WerFault.exe, which typically occurs when an application crashes. Frequent crashes in ICS environments may indicate exploitation attempts via buffer overflows.
references:
  - https://attack.mitre.org/techniques/T1499/
author: Security Arsenal
date: 2026/03/24
tags:
  - attack.impact
  - attack.t1499
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\werfault.exe'
  filter:
    ParentImage|contains: 
      - '\Program Files\'
      - '\Program Files (x86)\'
falsepositives:
  - Legitimate application crashes not related to security events
level: medium
---
title: Creation of Crash Dump Files
id: 9e5f3b2c-2d4f-5c6b-0a7e-8f9d1b2c3d4e
status: experimental
description: Detects the creation of .dmp (dump) files in temporary directories, which may be generated during the investigation of application instability or exploitation attempts.
references:
  - https://attack.mitre.org/techniques/T1003/
author: Security Arsenal
date: 2026/03/24
tags:
  - attack.defense_evasion
  - attack.t1003
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|endswith: '.dmp'
    TargetFilename|contains:
      - '\Temp\'
      - '\AppData\Local\Temp\'
falsepositives:
  - Legitimate debugging by developers
level: low

KQL Queries

For Microsoft Sentinel or Defender for Endpoint users, the following KQL queries can help identify signs of instability or check for the presence of the specific SDK version.

Query 1: Detect WerFault Execution (Crash Detection)

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "werfault.exe"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath
| order by Timestamp desc


**Query 2: Hunt for specific SDK file versions (if file paths are known)**
DeviceFileEvents
| where Timestamp > ago(1d)
| where FolderPath contains @"SICAM" and FileName contains "SDK"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
| summarize arg_max(Timestamp, *) by DeviceName, FileName

Velociraptor VQL

Velociraptor can be used to hunt for the specific vulnerable version of the SDK on the filesystem or to find recent crash dumps.

Hunt 1: Check for vulnerable SDK installation files

SELECT OSPath, Mtime, Size
FROM glob(globs="C:/Program Files*/**/SICAM SIAPP SDK/**")
WHERE OSPath =~ "SICAM"


**Hunt 2: Find recently created dump files**
SELECT OSPath, Mtime, Size, Mode
FROM glob(globs="C:/Users/**/AppData/Local/Temp/*.dmp")
WHERE Mtime > now() - -7d

PowerShell Verification Script

Use this PowerShell script to check if the vulnerable version of the SDK is installed by checking common installation paths or registry keys. Adjust paths as necessary for your environment's configuration.

# Script to check for SICAM SIAPP SDK files
$paths = @(
    "C:\Program Files\Siemens\SICAM SIAPP SDK",
    "C:\Program Files (x86)\Siemens\SICAM SIAPP SDK",
    "D:\SICAM\SDK"
)

foreach ($path in $paths) {
    if (Test-Path $path) {
        Write-Host "Found SDK directory at: $path" -ForegroundColor Yellow
        # Attempt to get file version of a common DLL (adjust filename as needed)
        $dllPath = Join-Path $path "bin\some_core.dll" 
        if (Test-Path $dllPath) {
            $versionInfo = (Get-Item $dllPath).VersionInfo.FileVersion
            Write-Host "Detected Version: $versionInfo" -ForegroundColor Cyan
        } else {
            Write-Host "Could not find core DLL to verify version." -ForegroundColor Gray
        }
    }
}

Remediation

To mitigate these risks and protect your industrial environment, Security Arsenal recommends the following actions:

1. Update Immediately: Siemens has released a new version of the SICAM SIAPP SDK. Update to version 2.1.7 or later immediately. This version contains the fixes for the identified buffer overflow and memory corruption vulnerabilities.

2. Review API Usage: Siemens notes that vulnerabilities are exploitable if the API is used improperly. Conduct a code review of customer-developed SIAPPs to ensure they adhere to the SDK's API specifications and implementation guidelines.

3. Apply Hardening Measures: Ensure all recommended hardening measures provided in the Siemens documentation are applied to the development and runtime environments.

4. Rebuild Applications: After updating the SDK, recompile and redeploy customer-developed SIAPPs to ensure they are linked against the secure, updated libraries.

5. Network Segmentation: Ensure that development and simulation environments are strictly segmented from operational control networks to limit the blast radius of any potential exploit.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub