ACCORDING to Siemens ProductCERT SSA-357982, Siemens ROS# contains a ROS service file_server that before version 2.2.2 exposes a path traversal vulnerability allowing a remote attacker to read and write arbitrary files on the system hosting the service. The following versions are affected: ROS# vers:intdot/<2.2.2, with a CVSS v3.1 base score of 9.1 (CRITICAL). Affected products are Siemens Siemens ROS#, with the vulnerability tracked as CVE-2026-41551.
Siemens has released a new version and recommends updating to V2.2.2 or later, with mitigations including running file_server on a trusted network, applying appropriate user rights, and avoiding a continuously running background service for file transfers. CISA notes general defensive measures, such as minimising network exposure and isolating control system devices behind firewalls, and provides additional guidance alongside references to the ICS security practices. This advisory was published on 14 May 2026 and is part of CISA’s ICS Advisories series, identified as ICSA-26-134-08.