SSA-609469

Siemens Security Advisory by Siemens ProductCERT

SSA-609469: Authorization Bypass Vulnerability in Industrial Edge Management

Publication Date:	2026-04-14
Last Update:	2026-04-14
Current Version:	V1.0
CVSS v3.1 Base Score:	7.1
CVSS v4.0 Base Score:	5.1

SUMMARY

Industrial Edge Management contains an authorization bypass vulnerability that could be exploited by an unauthenticated remote attacker to circumvent authentication and to access connected Industrial Edge Devices through the remote connection feature.

Siemens has released new versions for the affected products and recommends to update to the latest versions.

KNOWN AFFECTED PRODUCTS

Un-/Collapse All

Affected Product and Versions	Remediation
Industrial Edge Management Pro V1 All versions >= V1.7.6 < V1.15.17 affected by CVE-2026-33892	Update to V1.15.17 or later version https://iehub.eu1.edge.siemens.cloud/ See further recommendations from section Mitigations
Industrial Edge Management Pro V2 All versions >= V2.0.0 < V2.1.1 affected by CVE-2026-33892	Update to V2.1.1 or later version https://iehub.eu1.edge.siemens.cloud/ See further recommendations from section Mitigations
Industrial Edge Management Virtual All versions >= V2.2.0 < V2.8.0 affected by CVE-2026-33892	Update to V2.8.0 or later version https://iehub.eu1.edge.siemens.cloud/ See further recommendations from section Mitigations

MITIGATIONS

Siemens has identified the following specific mitigations that customers can apply to reduce the risk:

Ensure network access to affected products is limited to trusted parties only

Product-specific remediations or mitigations can be found in the section Known Affected Products.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION

Industrial Edge represents an open, ready-to-use Edge computing platform consisting of Edge devices, Edge apps, Edge connectivity, and an application and device management infrastructure.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2026-33892

Affected management systems do not properly enforce user authentication on remote connections to devices. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the attacker has identified the header and port used for remote connections to devices and that the remote connection feature is enabled for the device.

Exploitation allows the attacker to tunnel to the device. Security features on this device itself (e.g. app specific authentication) are not affected.

CVSS v3.1 Base Score	7.1
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CVSS v4.0 Base Score	5.1
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
CWE	CWE-305: Authentication Bypass by Primary Weakness

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2026-04-14):

Publication Date

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.