Back to Intelligence

Siemens SICAM 8: CVE-2026-27663 & CVE-2026-27664 Detection and Remediation

SA
Security Arsenal Team
April 15, 2026
6 min read

CISA has released ICS Advisory ICSA-26-092-01 regarding critical vulnerabilities affecting multiple Siemens SICAM 8 products. These devices are widely deployed in electrical substations and industrial environments for telecontrol and grid automation. The identified vulnerabilities, CVE-2026-27663 and CVE-2026-27664 (both scoring CVSS v3 7.5), involve improper allocation of resources without limits. Successful exploitation could allow an unauthenticated attacker to cause a Denial of Service (DoS), potentially disrupting power grid operations or industrial processes. Defenders must prioritize inventorying affected assets and applying firmware updates immediately to ensure availability.

Technical Analysis

Affected Products and Versions: The vulnerabilities impact specific firmware and software components running on Siemens SICAM platforms, particularly the CP-8000 series industrial PCs:

  • SICAM A8000 Device firmware: CPCI85, SICORE, RTUM85
  • SICAM EGS Device firmware: CPCI85
  • SICAM S8000: SICORE, RTUM85
  • Affected Component Versions (Vulnerable):
    • CPCI85 Central Processing/Communication: versions < 26.10 (CVE-2026-27663, CVE-2026-27664)
    • RTUM85 RTU Base: versions < 26.10 (CVE-2026-27663)
    • SICORE Base system: versions < 26.10.0 (CVE-2026-27664)

Vulnerability Details:

  • CVE-2026-27663 & CVE-2026-27664: These issues stem from an "Allocation of Resources Without Limits" weakness. The affected components do not properly restrict the rate or size of resource allocation requests. An attacker can exploit this by sending specifically crafted requests to the device, exhausting system resources (CPU or memory). This leads to a crash or a complete hang of the service/process, resulting in a DoS condition.

Exploitation Status: As of the advisory release, there is no confirmation of active exploitation in the wild. However, the relatively high CVSS score (7.5) and the critical nature of the target environment (OT/ICS) make this a high priority for remediation.

Detection & Response

Detecting this specific vulnerability requires a two-pronged approach: monitoring for the impact of the exploitation (service crashes/restarts) and actively hunting for the presence of vulnerable software versions. Since the affected components (CPCI85, RTUM85, SICORE) often run on Windows-based industrial PCs (CP-8010, CP-8012, etc.), we can leverage standard EDR and SIEM telemetry.

Sigma Rules

The following Sigma rules target the operational impact (Service Crash) and the specific binary execution associated with the vulnerable components.

YAML
---
title: Siemens SICAM Component Service Termination
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects unexpected termination or crash of Siemens SICAM core services (CPCI85, RTUM85, SICORE), which may indicate a successful DoS exploitation attempt.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-01
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.impact
  - attack.t1499
logsource:
  product: windows
  service: system
detection:
  selection:
    EventID:
      - 7031 # Service Control Manager: Service terminated unexpectedly
      - 7034 # Service Control Manager: Service crashed
    ServiceName|contains:
      - 'CPCI85'
      - 'RTUM85'
      - 'SICORE'
  condition: selection
falsepositives:
  - Legitimate service restarts due to maintenance or updates
level: high
---
title: Potential Resource Exhaustion on SICAM Host
id: 9b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects "Server is running out of resources" events or high memory alerts on hosts running Siemens SICAM software, indicative of CVE-2026-27663/64 exploitation.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-01
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.impact
  - attack.t1499
logsource:
  product: windows
  service: system
detection:
  selection:
    EventID: 2004 # Resource-Exhaustion-Detected
  filter:
    # Focus on known SICAM hostnames or process patterns if environment allows
    # Generic rule to identify the event on critical infrastructure assets
    Channel: 'System'
  condition: selection
falsepositives:
  - Other applications causing memory leaks on the industrial PC
level: medium

KQL (Microsoft Sentinel)

This query hunts for service crashes related to the vulnerable Siemens components, assuming Windows Event logs are forwarded via Syslog or the Event connector.

KQL — Microsoft Sentinel / Defender
// Hunt for Siemens SICAM Service Crashes
Syslog
| where Facility contains 'win' or SyslogMessage contains 'Service Control Manager'
| extend EventID = extract("(EventID:\\s*)(\\d+)", 2, SyslogMessage)
| extend ServiceName = extract("(Service\sName:\\s*)([^"]+)", 2, SyslogMessage)
| where EventID in ('7031', '7034')
| where ServiceName has_any ('CPCI85', 'RTUM85', 'SICORE')
| project TimeGenerated, ComputerIP, SyslogMessage, ServiceName, EventID
| sort by TimeGenerated desc

Velociraptor VQL

This VQL artifact hunts for the presence of the vulnerable executables on the CP-8000 series Windows PCs and attempts to retrieve their file version to determine if they are below the patched threshold.

VQL — Velociraptor
-- Hunt for Siemens SICAM vulnerable binaries and check versions
SELECT 
  FullPath,
  Mtime,
  Size,
  VersionInfo.ProductVersion,
  VersionInfo.FileVersion,
  VersionInfo.CompanyName
FROM glob(globs=[
    'C:\Program Files*\Siemens\**\CPCI85.exe',
    'C:\Program Files*\Siemens\**\RTUM85.exe', 
    'C:\Program Files*\Siemens\**\SICORE.exe',
    'C:\SICAM\**\*.exe'
])
WHERE VersionInfo.ProductVersion != '' 
  AND (
     // Versions less than 26.10 are vulnerable per advisory
     // Note: String comparison for versions requires careful parsing, 
     // simplistic check for presence here for immediate visibility.
     VersionInfo.ProductVersion !startswith '26.10'
  )

Remediation Script (PowerShell)

This script assists in identifying vulnerable installations of SICAM 8 components on local Windows-based OT workstations.

PowerShell
# Check for vulnerable Siemens SICAM 8 Components
# CVE-2026-27663 / CVE-2026-27664

$TargetVersions = @('CPCI85', 'RTUM85', 'SICORE')
$VulnerableThreshold = [version]'26.10.0.0'
$Findings = @()

# Define common installation paths for SICAM on CP-8000 series
$Paths = @(
    "C:\Program Files\Siemens\",
    "C:\Program Files (x86)\Siemens\",
    "C:\SICAM\"
)

Write-Host "[+] Scanning for Siemens SICAM 8 vulnerable components..."

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Write-Host "[+] Scanning path: $Path"
        # Search for executables related to the vulnerable components
        $Files = Get-ChildItem -Path $Path -Recurse -Include '*.exe' -ErrorAction SilentlyContinue | 
                 Where-Object { $TargetVersions -contains $_.BaseName }

        foreach ($File in $Files) {
            $FileInfo = Get-Item $File.FullName
            if ($FileInfo.VersionInfo.FileVersion) {
                try {
                    $FileVer = [version]$FileInfo.VersionInfo.FileVersion
                    # Check if version is strictly less than 26.10.0.0
                    if ($FileVer -lt $VulnerableThreshold) {
                        $Findings += [PSCustomObject]@{
                            Component = $File.BaseName
                            Path      = $File.FullName
                            Version   = $FileVer
                            Status    = 'VULNERABLE'
                        }
                    }
                } catch {
                    # Handle cases where version string is not a standard format
                    Write-Host "[-] Could not parse version for $($File.FullName)"
                }
            }
        }
    }
}

if ($Findings.Count -gt 0) {
    Write-Host "[!] ALERT: Vulnerable components found:" -ForegroundColor Red
    $Findings | Format-Table -AutoSize
} else {
    Write-Host "[+] No vulnerable components found via filesystem scan." -ForegroundColor Green
}

Remediation

Siemens has released updates to address these vulnerabilities. Immediate action is required to maintain the availability of these OT systems.

Patch Management:

SQL
Update the affected products to the latest firmware versions provided by Siemens. Specifically, ensure components are updated to versions **equal to or newer than 26.10**:
  1. CPCI85: Update to version >= 26.10
  2. RTUM85: Update to version >= 26.10
  3. SICORE: Update to version >= 26.10.0

Official Vendor Advisory: Refer to Siemens Security Advisory SSA-459982 for detailed download links and installation instructions.

Mitigation for Unpatchable Systems: If immediate patching is not possible due to operational uptime requirements:

  1. Network Segmentation: Ensure SICAM devices are placed in a strictly controlled VLAN, isolated from the corporate IT network and the public internet.
  2. Firewall Rules: restrict access to the management interfaces of these devices (TCP/Port 102, TCP/Port 502, or other proprietary ports) to known, trusted engineering workstations only.
  3. Monitor: Increase monitoring frequency for device reboots or unavailability alerts.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemsiemensics-scadacve-2026-27663

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action