CVE-2025-26390
CRITICALSiemens OZW672 and OZW772 Firmware < 6.0 - Unauthenticated SQL Injection in Authentication Check
Title source: llmDescription
A vulnerability has been identified in OZW672 (All versions < V6.0), OZW772 (All versions < V6.0). The web service of affected devices is vulnerable to SQL injection when checking authentication data. This could allow an unauthenticated remote attacker to bypass the check and authenticate as Administrator user.
References (1)
Core 1
Core References
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-047424.html
Scores
CVSS v3
9.8
EPSS
0.0034
EPSS Percentile
56.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
siemens/ozw672_firmware
< 6.0
siemens/ozw772_firmware
< 6.0
Published
May 13, 2025
Tracked Since
Feb 18, 2026