CISA warns of CVSS 9.1 vulnerability allowing remote file system access in manufacturing environments
- Siemens ROS# versions before 2.2.2 contain a critical path traversal vulnerability (CVE-2026-41551)
- Remote attackers can read and write arbitrary files with service user privileges
- Critical manufacturing sectors worldwide are affected, update to version 2.2.2 available
CISA has issued an advisory warning of a critical path traversal vulnerability in Siemens ROS#, a robotics software platform used in manufacturing environments.
The vulnerability, tracked as CVE-2026-41551, affects all ROS# versions before 2.2.2 and carries a CVSS score of 9.1. The flaw exists in the ROS service file_server component, where user input is not properly sanitised.
According to the advisory, remote attackers can exploit this vulnerability to access arbitrary files on affected systems. The attack allows both reading and writing files with the same privileges as the user account running the service.
The vulnerability was discovered by Alifia Rahmah of VyPr AI, who reported the issue to Siemens. The German manufacturer has since released version 2.2.2 to address the security flaw.
ROS# (Robot Operating System Sharp) is Siemens’ .NET implementation of the Robot Operating System, commonly deployed in critical manufacturing environments worldwide. The platform enables communication between robotic systems and industrial control networks.
For organisations unable to immediately update, CISA recommends several mitigation measures: running the file_server only on trusted networks, operating with appropriate user privileges, and limiting its use to designed tasks rather than continuous background operation.
The advisory emphasises that the file_server component should only be used when manual file transfers are not feasible, and organisations should implement network segmentation to protect affected devices.
Siemens has made the patched version 2.2.2 available through its GitHub repository. The company strongly recommends updating to the latest version to eliminate the vulnerability.
Why It Matters
This critical vulnerability poses significant risk to manufacturing operations, particularly in environments where ROS# systems have network connectivity. With a CVSS score of 9.1, successful exploitation could lead to unauthorised access to sensitive operational data, potential system manipulation, or lateral movement within industrial networks.
For CISOs in manufacturing organisations, this represents both an immediate patching priority and a reminder to review network segmentation around robotics and industrial control systems. The global deployment of affected systems means this vulnerability likely affects multiple sectors simultaneously.
What To Do Now
- Identify all Siemens ROS# deployments in your environment and verify versions
- Update to ROS# version 2.2.2 or later immediately
- Implement network segmentation to isolate ROS# systems from untrusted networks
- Review user privileges for accounts running the file_server service
- Consider disabling file_server if continuous operation is not required
