Critical infrastructure software affected by prototype pollution vulnerability enabling arbitrary code execution
- Siemens gPROMS Web Applications Publisher (gWAP) contains a critical remote code execution vulnerability
- The flaw stems from the Axios HTTP client library enabling prototype pollution attacks
- Siemens has released version 3.1.1 to address the vulnerability with CVSS score of 8.0
CISA has issued an advisory warning of a critical remote code execution vulnerability affecting Siemens gPROMS Web Applications Publisher (gWAP), a software platform used in critical manufacturing environments worldwide.
The vulnerability, tracked as CVE-2026-40175, exists in gWAP versions prior to 3.1.1 and stems from a flaw in the Axios HTTP client library. The issue allows attackers to exploit a specific “Gadget” attack chain that enables prototype pollution in third-party libraries, potentially escalating to arbitrary code execution.
According to the CISA advisory, the vulnerability affects the Axios library versions prior to 1.15.0 and 0.3.1. The flaw can be exploited to achieve remote code execution or full cloud compromise through AWS IMDSv2 bypass techniques.
The vulnerability carries a CVSS v3.1 base score of 8.0 (High), with the attack vector classified as network-based requiring high attack complexity and high privileges, but no user interaction. The scope is changed, meaning successful exploitation could impact resources beyond the vulnerable component.
Siemens ProductCERT reported the vulnerability to CISA, demonstrating responsible disclosure practices. The affected gWAP software is deployed globally in critical manufacturing sectors, making this a significant concern for industrial control system environments.
Siemens has released gWAP version 3.1.1 to address the vulnerability and made it available through their support portal. The company recommends immediate updates to the latest version for all affected installations.
Why It Matters
This vulnerability poses significant risk to industrial environments using Siemens gWAP for process management and monitoring. The potential for remote code execution in critical manufacturing systems could enable attackers to disrupt production processes, steal intellectual property, or pivot to other network resources. CISOs should prioritise this update given the global deployment of affected systems and the critical nature of manufacturing infrastructure.
What To Do Now
- Immediately inventory all Siemens gWAP installations to identify systems running versions prior to 3.1.1
- Schedule emergency patching to update gWAP to version 3.1.1 or later
- Review network access controls for gWAP systems and implement additional segmentation where possible
- Monitor for unusual activity on systems running gWAP during the patching window
