CVE-2025-26390 CRITICAL

CVE-2025-26390

Vendor Siemens
Product OZW672
Weakness CWE-89 · SQLi
Published May 13, 2025
Last update May 13, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability has been identified in OZW672 (All versions < V6.0), OZW772 (All versions < V6.0). The web service of affected devices is vulnerable to SQL injection when checking authentication data. This could allow an unauthenticated remote attacker to bypass the check and authenticate as Administrator user.

Key dates

02Disclosure timeline

May 13, 2025 CVE published
May 13, 2025 Record updated