BetaIT-Hub is in early access — your feedback helps us improve. Use the chat or email [email protected]

News Vulnerability
VulnerabilityCISA·20d ago

Siemens SENTRON 7KT PAC1261 Data Manager

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-134-14.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong The web server in SENTRON 7KT PAC1261 Data Manager Before V2.1.0 contains a request smuggling vulnerability in the Go Project's net/http package that could allow an attacker to retrieve authorization tokens that can be used to gain administrative control over the device. Siemens has released a new version for SENTRON 7KT PAC1261 Data Manager and recommends to update to the latest version. /strong /p p The following versions of Siemens SENTRON 7KT PAC1261 Data Manager are affected: /p ul li SENTRON 7KT PAC1261 Data Manager vers:intdot/ lt;2.1.0 nbsp; /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 9.1 /td td Siemens /td td Siemens SENTRON 7KT PAC1261 Data Manager /td td Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Energy /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Germany /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2025-22871 /a /h3 div class="csaf-accordion-content" p The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. /p p a href="https://www.cve.org/CVERecord?id=CVE-2025-22871" View CVE Details /a /p hr h4 Affected Products /h4 h5 Siemens SENTRON 7KT PAC1261 Data Manager /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Siemens /div div class="ics-version" strong Product Version: /strong br SENTRON 7KT PAC1261 Data Manager /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br Use encrypted protocols /p p strong Vendor fix /strong br Update to V2.1.0 or later version br a href="https://support.industry.siemens.com/cs/ww/en/view/109977717/" https://support.industry.siemens.com/cs/ww/en/view/109977717/ /a /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/444.html" CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode

Sign in to read the full article

Create a free account to access all news, downloads, and community features

Sign inCreate account

Originally published by CISA

Source: https://www.cisa.gov/news-events/ics-advisories/icsa-26-134-14

This article is shared for informational purposes. All rights belong to the original author and publisher. If you are the copyright holder and would like this content removed, please contact us.

Shared on IT-Hub by admin