project: unknownMission Request
← Back to Vulnerabilities
Vulnerabilities14 min read

ICS Patch Tuesday: What Siemens and Schneider Electric Disclosed on May 12 to 13, 2026

Industrial control system security updates deserve a different kind of attention than normal IT patch cycles. In enterprise IT, a critical vulnerability often means "patch quickly." In operational technology environments, the same vulnerability may require staged testing, maintenance windows, vendor coordination, and an understanding of what the affected asset actually controls.

The May 2026 ICS advisories are a good example of why that process matters. Siemens published a large set of ProductCERT advisories, including several high and critical severity issues affecting industrial edge devices, RUGGEDCOM products, SIMATIC systems, SIPROTEC devices, engineering software, and related industrial platforms. Schneider Electric also published several advisories covering EcoStruxure, Easergy, Altivar, EasyLogic, and other product families.

This post walks through the main advisories from the May 12 to 13 window and highlights what defenders should look at first.

Siemens Advisories: The Highest Priority Items

Siemens' May 2026 advisory set contains several issues with CVSS scores in the 9.0 to 10.0 range. These should receive immediate attention, especially where the affected products are exposed, remotely accessible, or used in sensitive industrial environments.

SSA-001536: Authorization Bypass in Siemens Industrial Edge Devices

This advisory carries a CVSS score of 10, the highest possible severity rating.

Authorization bypass vulnerabilities are especially serious in industrial environments because they can allow an attacker to access functions they should not be able to reach. In edge environments, that may affect applications, device management, deployment workflows, or operational visibility.

Organizations using Siemens Industrial Edge Devices should verify affected versions, review exposure, and prioritize remediation.

SSA-967325: PAN-OS Buffer Overflow on RUGGEDCOM APE1808 Devices

This advisory also carries a CVSS score of 10.

The issue involves Palo Alto Networks PAN-OS running on RUGGEDCOM APE1808 devices. A buffer overflow vulnerability at this severity level can potentially lead to remote code execution, depending on the specific conditions described by the vendor.

This is one of the most important advisories in the set because it combines three risk factors:

  • A critical vulnerability
  • A security appliance or network-facing technology
  • Deployment inside or near industrial networks

Any organization using Palo Alto security functions on RUGGEDCOM APE1808 devices should review this advisory carefully.

SSA-975644: Multiple Fortigate NGFW Vulnerabilities on RUGGEDCOM APE1808

This advisory has a CVSS score of 9.8.

It covers multiple vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 devices. Security appliances are often treated as trusted infrastructure, but when they are vulnerable, they can become high-value targets. In OT networks, these devices may sit between enterprise IT, remote access zones, DMZs, and industrial segments.

The key action here is to confirm whether RUGGEDCOM APE1808 devices are running affected Fortigate versions and whether they are exposed to untrusted networks.

SSA-577017, SSA-081142, SSA-078743, and SSA-973901: RUGGEDCOM ROX Vulnerabilities

Several advisories affect RUGGEDCOM ROX before version 2.17.1.

These include:

  • SSA-577017 — multiple vulnerabilities, CVSS 9.8
  • SSA-081142 — arbitrary code execution, CVSS 9.1
  • SSA-078743 — remote code execution, CVSS 7.5
  • SSA-973901 — arbitrary file disclosure, CVSS 6.8

RUGGEDCOM devices are commonly used in harsh industrial and utility environments. That makes these advisories particularly important for sectors such as energy, transportation, manufacturing, water, and critical infrastructure.

The recurring remediation point is clear: environments using affected RUGGEDCOM ROX versions should evaluate upgrading to ROX 2.17.1 or later, following Siemens' official guidance and internal OT change-control procedures.

Siemens SIMATIC Advisories

Several Siemens advisories affect SIMATIC products, including PLCs, HMIs, IPCs, and S7-1500 components.

SSA-688146: Cross-Site Scripting in SIMATIC S7 PLC Web Server

This advisory has a CVSS score of 9.1.

Cross-site scripting is often underestimated in industrial environments because it sounds like a web application issue. However, many industrial devices include web-based management interfaces. If those interfaces are reachable by operators, engineers, or administrators, XSS may be used to steal sessions, manipulate user actions, or pivot through trusted browsers.

For SIMATIC S7 PLCs, teams should review whether web server functionality is enabled, who can access it, and whether compensating controls are in place.

SSA-452276: Eval Injection in SIMATIC S7-1500

This advisory has a CVSS score of 9.6.

Eval injection vulnerabilities can be dangerous because they may allow attacker-controlled input to be executed in unintended ways. In PLC-related environments, that risk needs to be assessed very carefully.

This advisory should be reviewed by any organization using affected SIMATIC S7-1500 products, especially where engineering access, web interfaces, or network exposure are present.

SSA-082556 and SSA-265688: GNU/Linux Subsystem Vulnerabilities in SIMATIC S7-1500 MFP Products

Two advisories cover vulnerabilities in the additional GNU/Linux subsystem of SIMATIC S7-1500 MFP products:

  • SSA-082556 — affecting SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1.5, CVSS 9.8
  • SSA-265688 — affecting SIMATIC S7-1500 TM MFP V1.1, CVSS 9.1

These advisories matter because modern industrial devices increasingly include embedded operating systems, add-on compute environments, and Linux-based subsystems. That expands the attack surface beyond traditional PLC logic.

Security teams should not treat these as normal PLC-only issues. They should involve both OT engineers and system and security administrators who understand the Linux subsystem components.

SSA-032379: Multiple Vulnerabilities in SIMATIC CN 4100 Before V5.0

This advisory has a CVSS score of 9.6.

The SIMATIC CN 4100 advisory is another high-priority item because it involves multiple vulnerabilities and a clearly identified fixed version threshold: before V5.0.

Where SIMATIC CN 4100 is deployed, teams should identify version levels, validate upgrade paths, and determine whether the system is reachable from engineering workstations, maintenance networks, or remote access paths.

SSA-387223: Control Panel Escape Vulnerability on SIMATIC HMI Unified Comfort

This advisory has a CVSS score of 7.7.

The issue affects SIMATIC HMI Unified Comfort before V21.0. Control panel escape vulnerabilities can allow users to break out of restricted interfaces and access functions that should not be available from the HMI environment.

In production environments, this type of vulnerability can matter even when network exposure is limited, because physical or local operator access may still be relevant.

Siemens Power, Protection, and Industrial Communication Advisories

SSA-904646 and SSA-786884: SIPROTEC 5 Vulnerabilities

Two advisories affect SIPROTEC 5 devices:

  • SSA-904646 — sensitive data exposure, CVSS 5.3
  • SSA-786884 — insufficient randomness in session identifiers, CVSS 5.3

These are medium-severity issues, but SIPROTEC devices are commonly associated with electrical protection and substation environments. In critical infrastructure, even medium-severity vulnerabilities may deserve close review if the asset is safety-relevant or remotely accessible.

SSA-723487: RADIUS Protocol Forgery Impact on SCALANCE, RUGGEDCOM, and Related Products

This advisory has a CVSS score of 9.0 and relates to CVE-2024-3596.

Authentication infrastructure weaknesses can have broad consequences because RADIUS is often used for centralized access control. If affected products rely on vulnerable RADIUS behavior, attackers may be able to abuse authentication flows under certain conditions.

This advisory should be reviewed by teams using SCALANCE, RUGGEDCOM, or related Siemens products with RADIUS-based authentication.

SSA-280834: OpenVPN Credential Validation Issue in SCALANCE M-800 and SC-600

This advisory has a CVSS score of 3.7, so it is lower severity than many others in this cycle.

Even so, VPN-related advisories should not be ignored. Remote access into OT environments remains one of the most sensitive areas of industrial security. Organizations should verify whether affected SCALANCE products are part of remote maintenance or third-party access paths.

Siemens Engineering and Software Advisories

Not all ICS risk comes from field devices. Engineering workstations, design tools, and management software are also important because they often have privileged access to industrial environments.

SSA-921111: File Parsing Vulnerabilities in Solid Edge Before SE226 Update 5

This advisory has a CVSS score of 7.8.

File parsing vulnerabilities are commonly triggered by opening malicious files. In an engineering context, this can be relevant because design files, project files, and vendor-supplied documents may be exchanged between teams.

Organizations using Solid Edge should update to SE226 Update 5 or later, where applicable.

SSA-870926: Datakit Vulnerability in Simcenter Femap

This advisory has a CVSS score of 7.8.

Like the Solid Edge issue, this appears relevant to engineering workflows. Attackers often target users through malicious files because engineering workstations can have access to sensitive designs, project data, and industrial systems.

SSA-827383: Multiple Vulnerabilities in Teamcenter

This advisory has a CVSS score of 7.5.

Teamcenter is often used for product lifecycle management. Vulnerabilities in PLM environments can have security and business impact because these systems may contain intellectual property, design data, project documentation, and supplier information.

SSA-876049: Axios Prototype Pollution Affecting Siemens gWAP Before V3.1.1

This advisory has a CVSS score of 8.0.

Prototype pollution vulnerabilities affect JavaScript-based software components and can sometimes lead to application logic abuse, denial of service, or code execution depending on the application context. Siemens gWAP users should review whether they are running a version before V3.1.1.

SSA-085541: Missing Authentication in ActiveMQ Artemis in Opcenter RDnL

This advisory has a CVSS score of 9.8.

Missing authentication in a critical function is one of the more serious classes of vulnerability. If an unauthenticated attacker can access sensitive messaging or application functions, the impact can be significant.

Organizations using Opcenter RDnL should treat this as a high-priority review item.

Other Siemens Advisories Worth Noting

Several additional Siemens advisories were also listed in the May 12 set:

  • SSA-545643 — multiple vulnerabilities in KACO Blueplanet Inverters, CVSS 8.3
  • SSA-392349 — denial of service in industrial devices, CVSS 7.5
  • SSA-357982 — path traversal in ROS# before 2.2.2, CVSS 9.1
  • SSA-216014 — EFI variable vulnerabilities in SIMATIC IPCs, Tablet PCs, and Field PGs, CVSS 8.2
  • SSB-295699 — configuration guidance for Microsoft Defender Antivirus for SIMATIC PCS 7 and SIMATIC PCS neo

The Defender configuration bulletin is not a traditional vulnerability advisory, but it is still useful. Antivirus configuration in industrial systems needs to be handled carefully because overly aggressive scanning can affect performance, availability, or compatibility.

Schneider Electric Advisories from May 12, 2026

Schneider Electric also published several advisories on May 12. These affect EcoStruxure, Easergy, EasyLogic, Altivar, Uni-Telway, and other Schneider product families.

EcoStruxure Machine Expert HVAC: Cleartext Storage of Sensitive Information

This advisory covers CVE-2026-6332 and affects EcoStruxure Machine Expert HVAC versions prior to 1.10.0.

Cleartext storage of sensitive information can expose credentials, secrets, or configuration data if an attacker gains local access, filesystem access, or backup access. Teams using this software should verify whether sensitive data is stored insecurely and update where possible.

Multiple Schneider Products: Insufficient Entropy

This advisory covers CVE-2026-4827.

Insufficient entropy means a system may generate values that are easier to predict than expected. In security contexts, that can affect session identifiers, tokens, keys, or other values that should be random. Teams should check the official advisory against their own product inventory.

EasyLogic T150 and Saitel DP RTU: Path Traversal

This advisory covers CVE-2026-6865.

Affected products include:

  • EasyLogic T150 Remote Terminal Unit and Controller, versions 11.06.31 and prior
  • Saitel DP Remote Terminal Unit and Controller, versions 11.06.36 and prior

Path traversal vulnerabilities can allow attackers to access files outside intended directories. In RTU environments, this may expose configuration files or other sensitive data.

EcoStruxure Panel Server: Insecure Default Initialization

This advisory covers CVE-2026-6866.

Affected products include EcoStruxure Panel Server models PAS400, PAS600, PAS600V2, PAS800, and PAS800V2 at versions 002.005.000 and prior.

Insecure defaults are important because many industrial deployments rely on long-lived configurations. If a device is deployed with insecure default behavior and not hardened afterward, that weakness can persist for years.

Easergy MiCOM Px40 Series: Hard-Coded Credentials

This advisory covers CVE-2026-4832.

Hard-coded credentials are a serious issue in operational environments because they may allow unauthorized access across many devices if the credential becomes known. The affected product list includes many Easergy MiCOM relay families, including P14x, P24x, P34x, P44x, P54x, P64x, P74x, P84x, and related models depending on version.

Protection relays are sensitive assets. This advisory should be reviewed carefully by utilities and industrial sites using Easergy MiCOM Px40 devices.

EcoStruxure Process Expert: Incorrect Default Permissions and Privilege Management

Two Schneider advisories affect EcoStruxure Process Expert:

  • CVE-2025-13905 — incorrect default permissions
  • CVE-2025-0327 — improper privilege management

These issues affect EcoStruxure Process Expert and EcoStruxure Process Expert for AVEVA System Platform across specific versions.

Permission and privilege vulnerabilities can be especially relevant where engineering software is shared by multiple users or integrated with larger automation environments.

Altivar Drives and Communication Modules: Cross-Site Scripting

This advisory covers CVE-2025-7746.

Affected products include multiple Altivar Process Drives, Altivar Machine Drives, Altivar Soft Starters, communication modules, and related devices.

As with the Siemens PLC web server advisory, XSS in industrial devices should not be dismissed. Web interfaces on drives and communication modules may be reachable from engineering networks and could expose operators or administrators to session theft or malicious actions.

Uni-Telway Driver: Improper Input Validation

This advisory covers CVE-2024-10083.

The affected software includes the Uni-Telway driver and products that use it, including EcoStruxure Control Expert, EcoStruxure Process Expert, EcoStruxure Process Expert for AVEVA System Platform, and OPC Factory Server.

Driver-level vulnerabilities are important because drivers often sit close to communication paths between engineering tools and industrial devices.

FlexNet Publisher Vulnerability Across Schneider Software

This advisory covers CVE-2024-2658 in the Revenera FlexNet Publisher component.

Affected Schneider products include EcoStruxure Control Expert, Process Expert, OPC UA Server Expert, Machine Expert, Operator Terminal Expert, Vijeo Designer, Zelio Soft 2, and others.

Third-party component vulnerabilities are a recurring issue in industrial software. Even when the vulnerability is not in the vendor's own code, the affected component may still create risk inside deployed engineering or operations environments.

How to Prioritize These Advisories

A practical triage approach should start with three questions.

First, is the affected product present in the environment?

Second, is it reachable from an untrusted network, remote access path, enterprise IT network, vendor connection, or shared engineering workstation?

Third, what would happen if the system became unavailable, modified, or used as a pivot point?

Based on the advisories listed, the most urgent review areas are:

  • Siemens Industrial Edge Devices affected by SSA-001536
  • RUGGEDCOM APE1808 devices affected by PAN-OS or Fortigate NGFW vulnerabilities
  • RUGGEDCOM ROX devices before 2.17.1
  • SIMATIC S7-1500 and SIMATIC S7 PLC web server advisories
  • SIMATIC CN 4100 before V5.0
  • Opcenter RDnL affected by the ActiveMQ Artemis authentication issue
  • Schneider EasyLogic and Saitel RTUs affected by path traversal
  • Schneider EcoStruxure Panel Server affected by insecure default initialization
  • Easergy MiCOM Px40 devices affected by hard-coded credentials
  • Engineering workstations running affected Siemens or Schneider engineering software

Recommended Defensive Actions

Asset owners should begin by mapping the advisory list against the real OT inventory. This should include firmware versions, software versions, network zones, remote access exposure, and whether affected services are enabled.

Where patching is not immediately possible, compensating controls should be considered. These may include restricting access to management interfaces, disabling unnecessary web services, isolating affected devices, tightening VPN access, monitoring for suspicious authentication activity, and reviewing firewall rules between IT and OT zones.

For engineering software vulnerabilities, organizations should also review file-handling procedures. Malicious project files, design files, or imported documents can be a realistic attack path against engineering workstations.

Finally, all updates should follow OT change-management procedures. In industrial environments, the safest patch is the one that has been tested, scheduled, backed up, and coordinated with operations.

Final Note

These advisories highlight the importance of tracking ICS Patch Tuesday updates, but they do not represent every vendor or every affected industrial environment. Siemens and Schneider Electric are major vendors, and they are useful to analyze, but they are not the whole ICS ecosystem. Asset owners should also check advisories from their own vendors, including device manufacturers, software suppliers, integrators, and managed service providers.

This report is based on vendor advisories available for the May 12 to 13, 2026 ICS security cycle. It is intended to help operations and security teams prioritize reviews. Please verify patch status and compensating controls directly with each vendor. This is not a complete list of all May 2026 ICS security updates.

Sources: - Schneider Electric Security Notifications - Siemens ProductCERT Advisories