SIEMENS gWAP is affected by a remote code execution vulnerability introduced through a third‑party component, the Axios HTTP client library, with a specific Gadget attack chain enabling prototype pollution in third‑party dependencies. According to Siemens ProductCERT, the flaw could allow an attacker to execute arbitrary code, and Siemens has released a new version of gWAP, recommending users update to V3.1.1 or later.
The affected Siemens gWAP versions are listed as gWAP vers:intdot/<3.1.1, and the vulnerability is tracked as CVE-2026-40175 with a CVSS v3.1 base score of 8 (HIGH). Affected products fall under the Siemens gWAP family, and remediation guidance includes applying the vendor fix to mitigate the risk.
CISA’s advisory reiterates general defensive measures such as minimising network exposure and ensuring devices are operated in protected IT environments, with recommendations to follow Siemens’ Industrial Security guidelines.