Introduction
An unauthenticated network path into a process control communication node is the kind of finding that gets ICS security teams moving quickly. CVE-2026-22924 affects the Siemens SIMATIC CN 4100, a redundant multiprotocol communication node that bridges third party systems into process control environments like SIMATIC PCS 7 and PCS neo, and it does so with a CVSS v3.1 base score of 9.1.
The SIMATIC CN 4100 is designed to consolidate multiple communication libraries into a single built in interface, reducing the communication load on industrial controllers. It occupies a critical position in process control architectures, meaning a disruption to this device can propagate across connected industrial systems. Siemens is a global leader in industrial automation, and this product is deployed in environments where availability and integrity are paramount.
Adding an unusual wrinkle, CVE-2026-22924 has a dual assignment situation: the same CVE identifier also covers an out of bounds read vulnerability in Siemens NX, the company's product design software. We will cover both contexts below.
Technical Information
SIMATIC CN 4100: Missing Authentication (CWE-306)
The core issue in the SIMATIC CN 4100 is classified under CWE-306: Missing Authentication for Critical Function. The affected application does not properly restrict unauthenticated connections, which leaves the system susceptible to resource exhaustion conditions. An attacker with network access can exploit this without requiring any privileges or user interaction.
The CVSS v3.1 vector confirms the severity of the exposure:
| Attribute | Value |
|---|---|
| Attack Vector | Network (AV:N) |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Integrity Impact | High |
| Availability Impact | High |
| CVSS v3.1 Score | 9.1 |
| CVSS v4.0 Score | 8.8 |
The attack flow is straightforward. An attacker on the network can establish unauthenticated connections to the SIMATIC CN 4100. Because no authentication gate exists on these connection paths, the attacker can consume system resources at will, leading to resource exhaustion. This impacts both availability (the device becomes unresponsive or degraded) and integrity (unauthorized actions become possible through the unauthenticated channel).
The Siemens advisory SSA-032379 also identifies a companion vulnerability, CVE-2026-22925, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). This second flaw enables TCP SYN packet floods against the device, carrying a CVSS v3.1 score of 7.5 with high impact to availability. The presence of both vulnerabilities in the same advisory highlights a pattern of insufficient connection handling in pre-V5.0 firmware.
| Vulnerability | CWE | CVSS v3.1 | Key Impact |
|---|---|---|---|
| CVE-2026-22924 | CWE-306 (Missing Authentication) | 9.1 | Integrity and Availability |
| CVE-2026-22925 | CWE-770 (Resource Allocation Without Limits) | 7.5 | Availability via SYN floods |
Siemens NX: Out of Bounds Read (CWE-125)
Separately, CISA ICS advisory ICSA-26-043-08 (a republication of Siemens ProductCERT advisory SSA-535115) assigns CVE-2026-22924 to Siemens NX, the product design software. In this context, the vulnerability is an out of bounds read (CWE-125) triggered while parsing specially crafted CGM (Computer Graphics Metafile) files. Exploitation requires user interaction; a victim must open a malicious CGM file. Successful exploitation could lead to code execution in the context of the current process. This instance carries a CVSS v3.1 base score of 7.8. Credit for the discovery was given to researcher Michael Heinzl.
The dual assignment of a single CVE identifier to two distinct products with different root causes (CWE-306 vs. CWE-125) is notable. Organizations should identify which product is present in their environment and apply the corresponding remediation.
Patch Information
CVE-2026-22924 has vendor provided patches for both affected products.
SIMATIC CN 4100: Update to V5.0
Siemens addressed CVE-2026-22924 (along with over 150 other CVEs bundled in the same release) in SIMATIC CN 4100 V5.0. The fix was announced in Siemens Security Advisory SSA-032379, published on 2026-05-12 (V1.0). The updated firmware is available for download from Siemens Industry Online Support. The nature of this fix involves adding proper authentication enforcement for previously unauthenticated connection paths, which is the standard remediation approach for CWE-306: the new version restricts connections that were formerly open, preventing unauthorized resource consumption.
Siemens NX: Update to V2512
Siemens resolved the out of bounds read in NX V2512, released in February 2026. The patch tightens bounds checking during CGM file parsing to prevent the out of bounds read condition. This was documented in Siemens advisory SSA-535115 and republished by CISA as ICSA-26-043-08.
Interim Mitigations
For environments where immediate patching is not feasible, Siemens advises the following:
- Protect network access to SIMATIC CN 4100 devices using appropriate mechanisms
- Configure the IT environment according to Siemens operational guidelines for Industrial Security
- Follow all security recommendations detailed in the specific product manuals
Organizations should inventory their environments for any SIMATIC CN 4100 devices running versions prior to V5.0 and schedule immediate maintenance windows for the firmware upgrade.
Affected Systems and Versions
SIMATIC CN 4100:
- All versions prior to V5.0 are affected
- Fixed in V5.0
Siemens NX:
- Versions prior to V2512 are affected (specific version range not detailed in the advisory)
- Fixed in V2512
Vendor Security History
Siemens maintains a formalized vulnerability handling and disclosure process through Siemens ProductCERT. ProductCERT investigates security issues and publishes detailed Security Advisories that include CVE references, CVSS scores, affected versions, and mitigation strategies. The bundling of over 150 CVEs into the SIMATIC CN 4100 V5.0 release is indicative of a significant security hardening effort for this product line. The structured advisory process, including cross references with CISA ICS advisories, demonstrates a mature security response capability.



