Siemens OZW Web Servers

Main article: EAM system

2025

NCCC warns: Siemens control servers execute extraneous commands without authorization

NCCCI sent a warning in early June about the discovery of two critical vulnerabilities in the web -servers Siemens OZW Web Servers (models OZW672 and OZW772), which are used to manage devices manufactured by the same company. Moreover, vulnerabilities CVE-2025-26389 assigned a hazard level of 10 (out of 10), and CVE-2025-26390 - 9.8 (out of 10). There are fixes for both errors, although even access to information about them is blocked from the territory. Russia There is no information about the spread of the exploit for both vulnerabilities yet.

The CVE-2025-26389 vulnerability gives outsiders the ability to remotely execute an operating system command on behalf of a web server without interacting with users. Vulnerable to a command injection type (CWE-78) attack is the exportDiagramPage function, which does not take the necessary measures to exclude special characters from user input.

CVE-2025-26390 refers to a type of attack called SQL injection (CWE-89). These attacks are also associated with the lack of filtering of special characters, but already for SQL-DBMS. They allow you to execute an extraneous SQL query in the context of the database, with which it is often also possible to execute malicious code of the operating system without authentication.

Exploitation of such vulnerabilities can lead to complete compromise of the information system by executing arbitrary commands with root rights, as well as theft of its data due to the possibility of executing illegitimate SQL queries, "warned TAdviser Dmitry Tsarev, head of the cloud cybersecurity solutions department BI.Zone. - Siemens OZW Web Servers are designed for remote monitoring and control of building automation. Data from them can be collected through specialized portals, so there may be no direct access to the Internet. However, the system is originally designed to connect to the network and can have direct Internet access. Attackers, exploiting this vulnerability, can gain access to the server and manage connected controllers.

If vulnerable servers are accessible from outside, then attackers may be able to penetrate the internal network of the building using the specified vulnerability. It can be implemented in case of incorrect access organization: if the "port forwarding" is not turned off or access to the web interface (port 80/443) of the installed product is not limited using the firewall. In this case, the web server may be available from the Internet, and attackers will have the opportunity to attack it. Attackers can use public search engines such as Shodan or Censys to search for such open servers.

OZW web servers are specialized devices designed for remote monitoring and control of various equipment: from heating boilers to complex technological processes, - explained to TAdviser Sergey Matusevich, Director of AI and Web Technologies Development at Artezio. - According to our estimates, such web servers could be used in large industrial enterprises, in building management systems, in power and utility facilities. However, after May 2022, the situation changed dramatically: Siemens officially left the Russian market and stopped supplying all industrial equipment. This means that new installations of such web servers have practically stopped.

However, the above vulnerabilities were found in fairly old versions of the product, from 6.0, so there is a possibility that the vulnerability will remain in a long-installed and exploited system for a long time.

𝓲

Фото: Freepik

The popular applications of Siemens OZW772/OZW672 web servers are automation and management of engineering systems in residential, commercial and public buildings, - commented on the situation for TAdviser Irina Dmitriyeva, cyber expert and analyst engineer of the laboratory of cybersecurity research at Gazinformservice. - Integrators of automation systems supply and implement OZW servers in many projects of smart buildings and shopping centers for the convenience of managing engineering networks in a single panel. In large cities (Moscow, St. Petersburg, Yekaterinburg), the likelihood of meeting an OZW server with a "leaky" configuration is higher than in the regions: a significant number of commercial sites with "smart" systems are concentrated here.

As the expert notes, many users of systems do not always understand the need to update software, especially to strengthen information protection, so it is highly likely that the specified "hole" will gape for a long time in the center of the office and increase the likelihood of penetration into the corporate network.

Vulnerabilities related to SQL injection and execution of OS commands are among the top OWASP in criticality and allow you to gain full control over the system, "Kirill Levkin, MD Audit Product Manager, reminded TAdviser readers. - If the server is available from the Internet, unauthorized control of the equipment or inclusion of the node in the botnet is possible. The vulnerability could potentially be exploited for massive attacks on building automation segments or industrial facilities, especially in the absence of network segmentation.

Actually, it is not recommended to display equipment control systems on the Internet, even if it is necessary for convenience. It is better to efficiently segment networks and allocate industrial devices into a special segment with increased event control, which is not available directly to an unlimited number of users. Modern Web Application Firewall (WAF) screens have the functionality to identify SQL injections in user requests - it should be used.

You can try to protect yourself from exploiting SQL injection class vulnerabilities or injecting operating system commands in several ways: use classic protection tools - configuring firewalls and WAF to protect against SQL injection, or install fixes from the manufacturer as quickly as possible, - said Daniil Chernov, author of the Solar appScreen product.

CVSS 10.0 Vulnerability Detection

In the web servers Siemens OZW672 and OZW772 found critical vulnerabilities with a rating of CVSS 10.0. Attackers can remotely execute code (RCE) and obtain administrator rights without. authentications OZW662 and OZW772 are used in many industrial controllers and automation systems, including heating and air conditioning control, making these vulnerabilities particularly dangerous. Siemens announced this on May 15, 2025.

RCE, or remote execution of commands, is literally a jackpot among vulnerabilities, because, as a rule, this means the ability to gain full access to the attacked system. It is not surprising that such vulnerabilities are given the highest ratings, and vendors seek to close them as soon as possible or at least come up with compensatory measures, "said Sergei Polunin, head of the infrastructure IT solutions protection group at Gazinformservice.

The cyber expert noted that the vulnerability in web servers from Siemens is a problem in the square, because OZW672 and OZW772 are embedded in all kinds of industrial controllers and automation systems for heating and air conditioning.

You can imagine the problems that exploitation of these vulnerabilities can cause. And it cannot be said that Siemens somehow poorly set the procedure for secure development, but nevertheless we have what we have. At the same time, on paper, all the best practices have already been invented and described, but problems, as a rule, arise with their application in practice. And even if you can't build a full-fledged DevSecOps procedure, introducing solutions like Efros DefOps improves the quality of the final product. I'm not talking about building a CI/CD and attracting specialized specialists and experts, which many cannot afford, "Polunin summed up.