Back to Intelligence

Siemens gWAP Unauthenticated RCE via Axios (ICSA-26-134-01): Detection and Remediation

SA
Security Arsenal Team
May 15, 2026
5 min read

A critical security advisory (ICSA-26-134-01) has been released for Siemens gPROMS Web Applications Publisher (gWAP), a solution integral to process modeling in critical infrastructure sectors. The product is affected by an unauthenticated code execution vulnerability stemming from a third-party dependency—the Axios HTTP client library. This flaw facilitates a "Gadget" attack chain exploiting prototype pollution, allowing attackers to execute arbitrary code remotely without credentials. Given the High severity (CVSS v3 8) and the target profile—OT environments running web-facing services—immediate remediation is required to prevent potential ransomware deployment or supply-chain compromise.

Technical Analysis

Affected Products & Versions:

  • Product: Siemens gPROMS Web Applications Publisher (gWAP)
  • Affected Versions: Versions prior to 3.1.1 (< 3.1.1)

Vulnerability Details:

  • Vector: The vulnerability is introduced through the Axios library, a popular Node.js HTTP client. A specific "Gadget" chain allows for prototype pollution.
  • Mechanism: By manipulating properties of the JavaScript Object.prototype, an attacker can influence application logic. In this specific scenario, the pollution leads to the execution of arbitrary code (RCE).
  • Access Vector: Network-based. The advisory indicates unauthenticated access, meaning no valid credentials are required to trigger the exploit, likely via a crafted HTTP request.
  • Impact: Full compromise of the underlying host operating system where gWAP is installed.

Exploitation Status: While specific in-the-wild exploitation campaigns are not detailed in the CSAF summary, the public disclosure of prototype pollution chains in Axios significantly lowers the barrier for attackers. The presence of this vulnerability in OT environments makes it a high-value target for automated scanning tools.

Detection & Response

Detection Strategies

Detection of this vulnerability relies on identifying the successful exploitation of the code execution flaw rather than the prototype pollution attempt itself, which occurs within the application memory and is difficult to detect via network telemetry. Since Axios is a Node.js library, the most reliable detection method is monitoring the Node.js process for unexpected child process creation (e.g., spawning cmd.exe, powershell, or /bin/sh).

Sigma Rules

The following rules detect suspicious process spawning behaviors indicative of successful RCE on a host running the Siemens gWAP application.

YAML
---
title: Siemens gWAP RCE - Node.js Spawning Windows Shell
id: 89c0e1a2-3b4c-4d5e-8f9a-1b2c3d4e5f6a
status: experimental
description: Detects Node.js processes (potentially gWAP backend) spawning cmd.exe or powershell.exe, indicative of successful RCE via prototype pollution or similar web exploits.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-01
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\node.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
  condition: selection
falsepositives:
  - Legitimate administrative scripts running via Node
level: high
---
title: Siemens gWAP RCE - Node.js Spawning Linux Shell
id: 7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
status: experimental
description: Detects Node.js processes spawning shells (sh, bash) on Linux, indicative of RCE in ICS environments.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-01
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith:
      - '/node'
    Image|endswith:
      - '/sh'
      - '/bash'
  condition: selection
falsepositives:
  - Authorized system administration
level: high

KQL (Microsoft Sentinel)

This query hunts for Node.js processes spawning command-line interpreters, focusing on the "DeviceProcessEvents" table which is common for EDR integration into Sentinel.

KQL — Microsoft Sentinel / Defender
// Hunt for Node.js parent processes spawning shells (RCE Indicator)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has "node"
| where FileName in ("cmd.exe", "powershell.exe", "pwsh.exe", "sh", "bash")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName
| order by Timestamp desc

Velociraptor VQL

This VQL artifact hunts for processes where the parent is Node.js and the child is a shell, which is a strong indicator of successful web-based RCE.

VQL — Velociraptor
-- Hunt for Node.js spawning shells
SELECT Pid, Name, CommandLine, Exe, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Parent.Commandline AS ParentCmd
FROM pslist()
WHERE Parent.Name =~ "node"
  AND Name IN ("cmd.exe", "powershell.exe", "sh", "bash")

Remediation Script (Bash)

This script checks the package. and node_modules of a specified gWAP installation directory to verify if the vulnerable Axios version is present. Note: This requires access to the application's file system.

Bash / Shell
#!/bin/bash

# Siemens gWAP Axios Vulnerability Remediation Check
# Usage: ./check_gwap_axios.sh /path/to/gwap/installation

INSTALL_DIR="$1"

if [ -z "$INSTALL_DIR" ]; then
  echo "Usage: $0 /path/to/gwap/installation"
  exit 1
fi

AXIOS_PATH=""

# Find axios package. in node_modules
if [ -f "$INSTALL_DIR/node_modules/axios/package." ]; then
  AXIOS_PATH="$INSTALL_DIR/node_modules/axios/package."
elif [ -f "$INSTALL_DIR/package." ]; then
  echo "Found root package.. Checking dependencies..."
  # A more robust check would parse JSON, using grep for basic version spotting
  grep -q "axios" "$INSTALL_DIR/package." && echo "Axios is listed in dependencies. Please verify version manually."
  exit 1
else
  echo "Could not find node_modules/axios or package. in $INSTALL_DIR"
  exit 1
fi

if [ -n "$AXIOS_PATH" ]; then
  echo "Checking Axios version at: $AXIOS_PATH"
  # Extract version safely (requires jq ideally, using grep/awk as fallback)
  VERSION=$(grep '"version"' "$AXIOS_PATH" | head -n 1 | awk -F'"' '{print $4}')
  echo "Detected Axios version: $VERSION"
  
  # Vulnerability affects versions prior to specific patched releases.
  # Remediation requires upgrading gWAP to >= 3.1.1 which bundles the fix.
  echo "REMEDIATION REQUIRED: Update Siemens gWAP to version 3.1.1 or later."
  echo "See: https://new.siemens.com/global/en/products/services/cert.html"
fi

Remediation

To address this vulnerability effectively, follow these steps:

  1. Update Immediately: Siemens has released gWAP version 3.1.1. Update all affected instances to version 3.1.1 or later. This update addresses the unauthenticated code execution vulnerability by updating the embedded third-party components.

  2. Vendor Advisory: Refer to the official Siemens security advisory (SSA-768588 or corresponding ID matching ICSA-26-134-01) for detailed download instructions and release notes.

  3. Network Segmentation: Until the patch is applied, ensure gWAP instances are not accessible from the public internet. Place them behind a firewall and restrict access to trusted internal subnets only.

  4. CISA KEV: As this is identified as affecting Critical Infrastructure, monitor the CISA Known Exploited Vulnerabilities (KEV) catalog for any deadlines imposed on federal agencies, which serve as a good benchmark for urgency.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemsiemens-gwapicsa-26-134-01ot-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action