Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-22924 -- CVSS 9.1 Vulnerability Briefing

CVE-2026-22924 | CVSS 9.1 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-22924 is an unauthenticated resource exhaustion vulnerability affecting Siemens SIMATIC CN 4100 communication nodes running firmware versions prior to V5.0, exposing the device to denial-of-service conditions from the network without requiring credentials.

Technical Detail

The flaw stems from the application's failure to enforce connection limits or authentication requirements on incoming network connections, allowing an unauthenticated remote attacker to exhaust available system resources by flooding the device with connections or requests. Successful exploitation results in a denial-of-service condition, rendering the CN 4100 unavailable and potentially disrupting industrial communication processes dependent on the device. No privilege escalation or remote code execution has been confirmed as part of this vulnerability's impact chain, but availability loss in operational technology environments can carry significant downstream consequences.

Exploitation Status

No known exploit code has been observed or published as of May 19, 2026. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning active in-the-wild exploitation has not been confirmed at this time.

Who Is Targeting This

No specific threat actor attribution at this time. The vulnerability affects industrial control system hardware, a category that has historically drawn interest from state-sponsored actors and ransomware groups targeting operational technology environments, but no campaigns or actors have been linked to this CVE specifically.

What To Do

Siemens has addressed this vulnerability in SIMATIC CN 4100 firmware V5.0 and later. Operators should prioritize upgrading all affected devices to V5.0 or above as the primary remediation. Where immediate patching is not feasible, network-level controls should be applied to restrict access to the CN 4100 management interface, including firewall rules that limit inbound connections to trusted hosts only and placement of the device behind a properly segmented industrial DMZ. Monitoring for anomalous connection volume or device unresponsiveness can serve as a detection signal for exploitation attempts. Given the critical CVSS score of 9.1 and the operational technology context, patching should be treated as high priority even in the absence of confirmed active exploitation.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →