As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
- CVSS v4 5.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Project-Server and TIA Portal
- Vulnerability: Unrestricted Upload of File with Dangerous Type
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
- TIA Project-Server: Versions prior to V2.1.1
- TIA Project-Server V17: All versions
- Totally Integrated Automation Portal (TIA Portal) V17: All versions
- Totally Integrated Automation Portal (TIA Portal) V18: All versions
- Totally Integrated Automation Portal (TIA Portal) V19: All versions
- Totally Integrated Automation Portal (TIA Portal) V20: Versions prior to V20 Update 3
3.2 VULNERABILITY OVERVIEW
3.2.1 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
The affected application improperly handles uploaded projects in the document root. This could allow an attacker with contributor privileges to cause denial of service by uploading a malicious project.
CVE-2025-27127 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories