ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-22924 in Siemens SIMATIC CN 4100 and NX — Missing Authentication and Out of Bounds Read

A short review of CVE-2026-22924, a critical missing authentication vulnerability in Siemens SIMATIC CN 4100 (CVSS 9.1) and a separate out of bounds read in Siemens NX (CVSS 7.8), both patched by Siemens with firmware and software updates.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: CVE-2026-22924 in Siemens SIMATIC CN 4100 and NX — Missing Authentication and Out of Bounds Read
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated network path into a process control communication node is the kind of finding that gets ICS security teams moving quickly. CVE-2026-22924 affects the Siemens SIMATIC CN 4100, a redundant multiprotocol communication node that bridges third party systems into process control environments like SIMATIC PCS 7 and PCS neo, and it does so with a CVSS v3.1 base score of 9.1.

The SIMATIC CN 4100 is designed to consolidate multiple communication libraries into a single built in interface, reducing the communication load on industrial controllers. It occupies a critical position in process control architectures, meaning a disruption to this device can propagate across connected industrial systems. Siemens is a global leader in industrial automation, and this product is deployed in environments where availability and integrity are paramount.

Adding an unusual wrinkle, CVE-2026-22924 has a dual assignment situation: the same CVE identifier also covers an out of bounds read vulnerability in Siemens NX, the company's product design software. We will cover both contexts below.

Technical Information

SIMATIC CN 4100: Missing Authentication (CWE-306)

The core issue in the SIMATIC CN 4100 is classified under CWE-306: Missing Authentication for Critical Function. The affected application does not properly restrict unauthenticated connections, which leaves the system susceptible to resource exhaustion conditions. An attacker with network access can exploit this without requiring any privileges or user interaction.

The CVSS v3.1 vector confirms the severity of the exposure:

AttributeValue
Attack VectorNetwork (AV:N)
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
Integrity ImpactHigh
Availability ImpactHigh
CVSS v3.1 Score9.1
CVSS v4.0 Score8.8

The attack flow is straightforward. An attacker on the network can establish unauthenticated connections to the SIMATIC CN 4100. Because no authentication gate exists on these connection paths, the attacker can consume system resources at will, leading to resource exhaustion. This impacts both availability (the device becomes unresponsive or degraded) and integrity (unauthorized actions become possible through the unauthenticated channel).

The Siemens advisory SSA-032379 also identifies a companion vulnerability, CVE-2026-22925, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). This second flaw enables TCP SYN packet floods against the device, carrying a CVSS v3.1 score of 7.5 with high impact to availability. The presence of both vulnerabilities in the same advisory highlights a pattern of insufficient connection handling in pre-V5.0 firmware.

VulnerabilityCWECVSS v3.1Key Impact
CVE-2026-22924CWE-306 (Missing Authentication)9.1Integrity and Availability
CVE-2026-22925CWE-770 (Resource Allocation Without Limits)7.5Availability via SYN floods

Siemens NX: Out of Bounds Read (CWE-125)

Separately, CISA ICS advisory ICSA-26-043-08 (a republication of Siemens ProductCERT advisory SSA-535115) assigns CVE-2026-22924 to Siemens NX, the product design software. In this context, the vulnerability is an out of bounds read (CWE-125) triggered while parsing specially crafted CGM (Computer Graphics Metafile) files. Exploitation requires user interaction; a victim must open a malicious CGM file. Successful exploitation could lead to code execution in the context of the current process. This instance carries a CVSS v3.1 base score of 7.8. Credit for the discovery was given to researcher Michael Heinzl.

The dual assignment of a single CVE identifier to two distinct products with different root causes (CWE-306 vs. CWE-125) is notable. Organizations should identify which product is present in their environment and apply the corresponding remediation.

Patch Information

CVE-2026-22924 has vendor provided patches for both affected products.

SIMATIC CN 4100: Update to V5.0

Siemens addressed CVE-2026-22924 (along with over 150 other CVEs bundled in the same release) in SIMATIC CN 4100 V5.0. The fix was announced in Siemens Security Advisory SSA-032379, published on 2026-05-12 (V1.0). The updated firmware is available for download from Siemens Industry Online Support. The nature of this fix involves adding proper authentication enforcement for previously unauthenticated connection paths, which is the standard remediation approach for CWE-306: the new version restricts connections that were formerly open, preventing unauthorized resource consumption.

Siemens NX: Update to V2512

Siemens resolved the out of bounds read in NX V2512, released in February 2026. The patch tightens bounds checking during CGM file parsing to prevent the out of bounds read condition. This was documented in Siemens advisory SSA-535115 and republished by CISA as ICSA-26-043-08.

Interim Mitigations

For environments where immediate patching is not feasible, Siemens advises the following:

  • Protect network access to SIMATIC CN 4100 devices using appropriate mechanisms
  • Configure the IT environment according to Siemens operational guidelines for Industrial Security
  • Follow all security recommendations detailed in the specific product manuals

Organizations should inventory their environments for any SIMATIC CN 4100 devices running versions prior to V5.0 and schedule immediate maintenance windows for the firmware upgrade.

Affected Systems and Versions

SIMATIC CN 4100:

  • All versions prior to V5.0 are affected
  • Fixed in V5.0

Siemens NX:

  • Versions prior to V2512 are affected (specific version range not detailed in the advisory)
  • Fixed in V2512

Vendor Security History

Siemens maintains a formalized vulnerability handling and disclosure process through Siemens ProductCERT. ProductCERT investigates security issues and publishes detailed Security Advisories that include CVE references, CVSS scores, affected versions, and mitigation strategies. The bundling of over 150 CVEs into the SIMATIC CN 4100 V5.0 release is indicative of a significant security hardening effort for this product line. The structured advisory process, including cross references with CISA ICS advisories, demonstrates a mature security response capability.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization