Siemens Family May 2026 Routine Security Update advisory.

Siemens has issued security updates that address vulnerabilities in a number of products it has supplied. the affected products are IE/PB LINK HA, IE/PB link PN IO, Opcenter RDnL, ROS#, RUGGEDCOM APE1808, RUGGEDCOM RM1224 LTE, RUGGEDCOM ROX series, SCALANCE series, SENTRON 7KT PAC1261 Data Manager, SIMATIC S7 and ET 200 series, SIMATIC HMI MTP series, SINAMICS series, SINUMERIK 840D sl, SIMIT UNIT, SITOP family, Simcenter Femap, Solid Edge, blueplanet, and gWAP.

the disclosed vulnerabilities consist of out-of-bounds writes, out-of-bounds reads, heap buffer overflows, stack buffer overflows, memory free and reuse (UAF), XSS, lack of Path traversal restrictions, HTTP request interpretation mismatches, lack of authentication, use of hard-coded ciphers, lack of special element validation, and lack of OS command validation. some vulnerabilities have been reported as far back as CVSS 10.0.

remediation varies by product. many products need to be updated to a specified version. for example, the RUGGEDCOM ROX must be updated to V2.17.1 and later, the RUGGEDCOM RM1224 LTE and several SCALANCE M products to V8.3 and later, many SCALANCE W products to V6.6.0 and later, the SCALANCE WAB/WAM/WUB/WUM series to V3.2.0 and later, the SIMATIC HMI MTP series to V21 and later, and the SIMATIC CFU to V2.0.0 and later.

for some products, only mitigation measures are presented. IE/PB LINK HA and IE/PB link PN IO, many SCALANCE X/XF/XM/XR devices, SIMIT UNIT, SINAMICS, SINUMERIK, and SITOP require access to be restricted to trusted IP addresses only. several SIMATIC ET 200SP, SIMATIC S7-1500, SIMATIC S7-300, SIMATIC S7-400 and SIPLUS-related products must restrict TIA project downloads to trusted personnel only or allow firmware update rights to instructed personnel only. some ET 200pro and ET 200S products require disabling the ethernet ports on the CPU and using a communication module such as a CP.

Some KACO blueplanet series have been advised that a fix is not currently available or planned. the blueplanet gridsafe 110 TL3-S and blueplanet gridsafe 137 TL3-S should be updated to V3.91 and later, and the Unknown Product should be updated to the specified version or later. gWAP should be updated to V3.1.1 and later, Opcenter RDnL should be updated to Apache Artemis 2.52.0 and later, Simcenter Femap should be updated to V2512.0003 and later, and Solid Edge should be updated to SE2026 V226.0.5 and later.

a reference document was provided with recommendations for each product, with some items directing you to Siemens customer support or the product support page for more information.