CISA ICS Advisory: Siemens RUGGEDCOM and SCADABr Remote Code Execution

Advisory Summary

CVE: CVE-2026-20182
CVSS v3.1 Base Score: 9.8 (Critical)
Affected Products: Siemens RUGGEDCOM ROS (all versions prior to 5.9.1), SCADABr 1.2.x and 1.3.x
Attack Vector: Network (no prior authentication required)
CISA Advisory ID: ICSA-2026-134-01

CISA published this advisory on May 14, 2026, coordinating with Siemens ProductCERT and the Brazilian CERT for the SCADABr component. Both vulnerabilities share the same root cause—improper input validation in web-based management interfaces—and can be chained by an attacker with network access to the affected devices.

Vulnerability Details

Siemens RUGGEDCOM ROS

RUGGEDCOM devices are hardened Layer 2/3 switches and routers designed for industrial environments: substations, rail networks, pipeline SCADA installations, and smart grid applications. The affected vulnerability exists in the device’s built-in HTTP management interface.

The flaw is a stack-based buffer overflow in the HTTP header parsing routine of the RUGGEDCOM web server. A specially crafted Authorization header exceeding 512 bytes triggers the overflow before any authentication logic executes. An attacker can overwrite the return address and redirect execution to attacker-controlled shellcode delivered in the same request.

Exploitation does not require any prior knowledge of device credentials. On most affected firmware versions, the web interface is enabled by default and accessible on TCP/80 and TCP/443 from any network segment the device routes.

Affected firmware versions:

• RUGGEDCOM ROS 4.x (all versions) — no patch; migrate to ROS 5.9.1
• RUGGEDCOM ROS 5.x prior to 5.9.1 — patch available
• RUGGEDCOM WIN (wireless variants) — under investigation, no patch yet

SCADABr

SCADABr is an open-source SCADA and HMI platform with significant deployment across South American and Southeast Asian industrial facilities, particularly in smaller water treatment, agriculture irrigation, and district energy operations that cannot afford commercial SCADA licensing.

CVE-2026-20182 as it applies to SCADABr is a Java deserialization vulnerability in the platform’s REST API endpoint (/api/json). When the application deserializes a crafted JSON payload containing a gadget chain targeting the Apache Commons Collections library (versions 3.x bundled with SCADABr), unauthenticated remote code execution results. The API endpoint is not access-controlled in default installations.

Successful exploitation gives the attacker OS-level code execution in the context of the SCADABr service account, which in many industrial deployments runs as SYSTEM or root due to port-binding requirements. From this position, an attacker can read or write any point values in the SCADA database, modify alarm thresholds, and access engineering credentials stored in the application’s configuration files.

Exploitation Status

As of the advisory publication date, CISA has received reports of exploitation attempts observed in the wild targeting internet-exposed RUGGEDCOM devices. No confirmed successful compromises have been attributed to this CVE at the time of publication, but proof-of-concept exploit code was publicly released on a well-known exploit repository approximately 72 hours prior to the coordinated advisory.

For SCADABr, exploitation in the wild has not been confirmed, but the deserialization vector is straightforward to implement by any attacker with Java exploitation experience. The public-facing nature of many SCADABr installations—some water utilities expose the HMI directly to the internet for remote monitoring—significantly elevates risk.

Immediate Actions Required

For RUGGEDCOM Operators

1. Apply firmware update to ROS 5.9.1 immediately — Siemens has made this available through their support portal. For ROS 4.x devices, plan urgent migration; no patch will be issued for the 4.x branch.
2. Disable the web management interface if not operationally required — use CLI-only management via SSH. This eliminates the attack surface entirely.
3. Restrict web management access to dedicated management VLANs — use ACLs to block access from OT process networks and any internet-connected segment.
4. Review recent access logs for the HTTP service; look for oversized Authorization headers or unexpected 500-series error responses which may indicate probing activity.

For SCADABr Operators

1. Update to SCADABr 1.4.0 — the patched version removes the unauthenticated API endpoint and upgrades Commons Collections to 4.x. Note that the update requires a database migration and may require several hours of maintenance window.
2. Firewall the SCADABr application port (default 8080) — immediately block access from all untrusted networks; the application should never be internet-accessible.
3. Audit service account privileges — ensure SCADABr runs as a least-privilege account; revoke SYSTEM/root if assigned.
4. Review the application’s credential store (/opt/scadabr/conf/datasources.xml) for any credentials that may have been exposed; rotate all database and device credentials stored therein.

CISA Resources

• CISA ICS Advisory ICSA-2026-134-01: https://www.cisa.gov/uscert/ics/advisories/icsa-2026-134-01
• Siemens ProductCERT advisory SSA-2026-134: Available through Siemens support portal
• SCADABr security bulletin: https://github.com/ScadaBR/ScadaBR/security/advisories