Siemens Patches Four Flaws in SICAM 8 Grid Kit, Including a Firmware Signing Bypass
The German industrial giant is pushing V26.20 firmware for gear that sits inside power stations. One bug lets an insider install their own firmware.

Key points
- Siemens has released firmware version V26.20 for its SICAM 8 family of grid control devices, fixing four security flaws disclosed through CISA in 2026.
- The most serious bug, CVE-2026-54801, scores 7.2 on the industry severity scale and lets a logged-in attacker hand themselves admin rights through the web interface.
- A separate flaw, CVE-2026-54799, lets an attacker with local access install fake firmware that survives reboots.
- The affected kit runs inside power grids in the Critical Manufacturing and Energy sectors worldwide.
- Siemens says operators should patch, keep the devices off the open internet, and put them behind firewalls.
Siemens has shipped fixes for four vulnerabilities in its SICAM 8 line, a family of controllers used by electricity companies to run substations and other bits of the power grid. The bugs were reported through the US Cybersecurity and Infrastructure Security Agency, better known as CISA, which publishes advisories on flaws in industrial equipment.
The affected products carry names only a substation engineer could love: the SICAM A8000, the CP-8031 and CP-8050, the CP-8010 and CP-8012, and the SICAM EGS and S8000. Under the hood they share two firmware bases, CPCI85 and SICORE. Both need to be on version 26.20 or later.
None of the four bugs is a remote, no-login catastrophe. All of them require an attacker who is already inside the network or already has an account. But the machines in question are the ones that keep the lights on, so the bar for "acceptable" is low.
What can an attacker actually do with these bugs?
The short answer: crash the device, sneak in bad firmware, or promote themselves to admin, depending on which flaw they reach first.
The headline flaw is CVE-2026-54801, scored 7.2 out of 10. Siemens describes it as "insufficient validation of authentication credentials when processing administrative account modifications." In plain English: the web interface does not properly check who is asking before it changes an admin account. A user with a low-privilege login can promote themselves.
Then there is CVE-2026-54799, scored 6.7. This one lives in the firmware update process. The device does not properly check the digital signature, the cryptographic stamp that proves an update really came from Siemens, before installing it. An attacker with local access can load their own firmware and it will stay there through reboots. That is the industrial control equivalent of a rootkit, which is malicious software buried so deep in a machine that normal clean-ups miss it.
CVE-2026-54798 is a leftover debugging feature reachable over the web. A logged-in attacker can hit those endpoints and crash the web process, knocking the management interface offline. Left-behind debug code in a shipping product is one of the oldest sins in software, and industrial vendors are not immune.
Finally, CVE-2026-54800 is a configuration choice rather than a coding bug. The devices ship with all security features of OPC UA, an industrial communication standard, switched off by default. Anyone who plugs one in and forgets to turn security on is running wide open.
Should the public be worried?
Probably not directly. These devices are not sitting on your home router. They are inside utility substations, and the flaws need either network access or an existing login. A random criminal on the internet is not going to walk into one of these.
The risk that matters is a targeted attacker: someone who has already phished a contractor, gained a foothold on an engineering laptop, or bribed an insider. For that kind of adversary, CVE-2026-54799 is a gift. Persistent firmware access to grid gear is exactly what state-level attackers have been caught building toward in past incidents.
Siemens' own guidance is worth reading straight: patch to V26.20, keep these devices off the public internet, put them behind firewalls, and segment the network so a compromise in the office IT side cannot walk straight into the operational side. Grid operators are also reminded that redundant protection schemes, the physical fallbacks that stop a single failure from cascading, are part of the defence too.
If you run this kit, the firmware bundles are on Siemens' industry support portal. If you do not, this is still a useful reminder that the machines running the physical world get patched on a schedule measured in months, not hours.



