Introduction
Operational Technology (OT) defenders are on high alert following the release of ICSA-26-197-05, which details multiple high-severity vulnerabilities affecting Siemens SICAM 8 products. These devices, widely deployed in power generation, transmission, and distribution environments, are susceptible to Denial of Service (DoS) attacks due to the presence of active debug code and improper resource initialization.
With a CVSS v3 score of 7.2 (High), these vulnerabilities—tracked as CVE-2026-54798, CVE-2026-54799, CVE-2026-54800, and CVE-2026-54801—pose a significant risk to the availability of critical infrastructure. For organizations managing these assets, the immediate priority is to identify affected firmware versions and apply patches before adversaries can leverage these flaws to disrupt operations.
Technical Analysis
Affected Products and Versions
The vulnerabilities impact multiple firmware lines within the SICAM 8 ecosystem. Specifically, the following versions are vulnerable:
- CPCI85 Central Processing/Communication (CP-8031/CP-8050): Versions prior to
26.20. - SICORE Base system (CP-8010/CP-8012): Versions prior to
26.20.0. - SICAM A8000 Device firmware: Impacted via CPCI85 component.
- SICAM EGS Device firmware: Impacted via CPCI85 component.
- SICAM S8000: Impacted via SICORE component.
Vulnerability Mechanics
The advisory highlights two primary vulnerability classes that lead to DoS conditions:
- Active Debug Code (CWE-489): Specific firmware builds appear to have retained debug functionality that should have been removed in the production release. Active debug interfaces can allow attackers to trigger diagnostic routines or error conditions that halt the device's normal operation, effectively causing a crash or restart loop.
- Initialization of a Resource with a Source (CWE-456): The system fails to properly initialize resources during startup or configuration changes. An attacker can send specially crafted packets or inputs that exploit this uninitialized state, leading to memory corruption or process termination.
Exploitation Status
While these vulnerabilities are currently classified as requiring a low attack complexity, there is no confirmed evidence of active exploitation in the wild at the time of this advisory. However, the public disclosure of CVE identifiers often serves as a trigger for automated scanning and exploitation attempts within 24 to 48 hours. The ease of triggering a DoS makes this a high-risk vector for script kiddies and state-sponsored actors alike looking to test grid resilience.
Detection & Response
Detecting exploitation attempts against OT devices requires a shift from traditional endpoint monitoring to network-based anomaly detection and deep packet inspection (DPI). The following detection rules focus on identifying network behaviors indicative of exploitation attempts or the resultant DoS conditions.
Sigma Rules
---
title: Potential Siemens SICAM Debug Code Activity
id: 8a2b4c1d-9e3f-4a5b-b6c7-1d2e3f4a5b6c
status: experimental
description: Detects potential access to active debug interfaces on Siemens SICAM devices. Debug interfaces often utilize non-standard high ports or malformed protocol headers. This rule monitors for traffic to ICS subnets on suspicious ports.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-05
author: Security Arsenal
date: 2026/04/08
tags:
- attack.initial_access
- attack.ics
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort|between:
- 50000
- 60000
DestinationIpAddress|cidr: '10.0.0.0/8' # Modify to match your OT ICS subnet
Initiated: 'true'
condition: selection
falsepositives:
- Legitimate engineering workstation access
- Authorized vulnerability scanning
level: high
---
title: Siemens SICAM Device Denial of Service Indicator
id: 9c3d5e2f-0f4g-5b6c-7d8e-9f0a1b2c3d4e
status: experimental
description: Detects potential DoS conditions or scanning attempts against Siemens SICAM devices by identifying a high volume of TCP Resets (RST) or connection failures to standard IEC 60870-5-104 ports (2404).
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-05
author: Security Arsenal
date: 2026/04/08
tags:
- attack.impact
- attack.ics
logsource:
category: network_connection
product: windows
detection:
selection_port:
DestinationPort: 2404
selection_failure:
ConnectionStatus|contains:
- 'RST'
- 'TIMEOUT'
condition: all of selection_*
timeframe: 1m
falsepositives:
- Network instability
- Misconfigured device
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for anomalies in IEC 104 traffic or connectivity loss to SICAM devices
// Requires CommonSecurityLog (Firewall/IDS) or Syslog data
let ICS_Subnets = dynamic(["192.168.10.0/24", "10.20.30.0/24"]); // Define your OT subnets
let TimeWindow = 1h;
CommonSecurityLog
| where TimeGenerated > ago(TimeWindow)
| where ipv4_is_in_range(DestinationIP, ICS_Subnets)
| where DeviceAction in ("Reset", "Blocked", "Drop") or DestinationPort == 2404
| summarize count() by SourceIP, DestinationIP, DestinationPort, DeviceAction
| where count_ > 100 // Threshold for potential flooding/scanning
| extend AlertMessage = "High volume of reset/drop actions detected on ICS protocols"
Velociraptor VQL
-- Hunt for instances of Siemens engineering tools connecting to SICAM devices
-- on the management workstation. This helps identify the "Who" and "When" of configuration changes.
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "SICAM.*\.exe"
OR Name =~ "DIGSI.*\.exe"
OR CommandLine =~ "\\\\192\\.168\\." OR CommandLine =~ "\\\\10\\."
-- Look for connections to private IP ranges typical of OT
Remediation Script (PowerShell)
This script assists defenders in verifying network exposure to vulnerable devices by checking for open ports on the management segment or validating connectivity status.
<#
.SYNOPSIS
Siemens SICAM 8 Vulnerability - Network Exposure Check
.DESCRIPTION
Checks connectivity to defined Siemens SICAM IP ranges to detect if devices are responsive.
Use with caution in production OT environments to avoid triggering latency.
#>
$TargetIPs = @("192.168.10.5", "192.168.10.6") # Replace with your SICAM Device IPs
$Port = 2404 # Standard IEC 60870-5-104 Port
$Timeout = 1000
Write-Host "[+] Starting SICAM 8 Connectivity Check for CVE-2026-54798..." -ForegroundColor Cyan
foreach ($IP in $TargetIPs) {
try {
$TcpClient = New-Object System.Net.Sockets.TcpClient
$Connect = $TcpClient.BeginConnect($IP, $Port, $null, $null)
$Wait = $Connect.AsyncWaitHandle.WaitOne($Timeout, $false)
if ($Wait) {
Write-Host "[!] Device at $IP :$Port is REACHABLE." -ForegroundColor Green
# Recommend immediate patching if firmware version is unknown
} else {
Write-Host "[-] Device at $IP :$Port is UNREACHABLE (Possible DoS or Offline)." -ForegroundColor Red
}
$TcpClient.Close()
} catch {
Write-Host "[-] Error checking $IP : $_" -ForegroundColor Yellow
}
}
Write-Host "[+] Check complete. If devices are reachable, verify firmware versions in the web interface."
Write-Host "[+] Target Version: CPCI85 >= 26.20, SICORE >= 26.20.0"
Remediation
-
Patch Immediately: Siemens has released updated firmware that addresses these vulnerabilities. Update all affected devices to the latest versions:
- CPCI85: Update to version 26.20 or later.
- SICORE: Update to version 26.20.0 or later.
- Download the updates via the Siemens download center or the Siemens Customer Support portal.
-
Network Segmentation: If patching is not immediately possible (e.g., requires a scheduled outage), enforce strict segmentation. Ensure the SICAM devices are not accessible from the corporate IT network or the internet. Limit access to specific Engineering Workstations (EWS) using firewall rules.
-
Monitor for Anomalies: Deploy the detection rules provided above. Monitor specifically for traffic on non-standard ports which could indicate attempts to access the "Active Debug Code" interfaces.
-
Review CISA Advisory: Refer to ICSA-26-197-05 for the full technical report and specific mitigations if air-gapping is required.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.