CISA warns of request smuggling flaw in Siemens SENTRON 7KT PAC1261 Data Manager that could allow admin takeover
- Critical CVSS 9.1 HTTP request smuggling vulnerability affects Siemens SENTRON 7KT PAC1261 Data Manager versions before 2.1.0
- Attackers could retrieve authorisation tokens and gain administrative control over energy infrastructure devices
- Siemens has released version 2.1.0 patch and recommends immediate updates
The US Cybersecurity and Infrastructure Security Agency has issued an advisory for a critical vulnerability in Siemens SENTRON 7KT PAC1261 Data Manager devices used in energy infrastructure worldwide.
The vulnerability, tracked as CVE-2025-22871, affects all versions of the power management device before version 2.1.0. CISA assigned the flaw a CVSS score of 9.1, marking it as critical severity.
The security issue stems from an HTTP request smuggling vulnerability in the Go Project’s net/http package used by the device’s web server. According to CISA, the net/http package improperly accepts a bare line feed character as a line terminator in chunked data chunk-size lines.
This improper handling could allow attackers to perform request smuggling attacks when the net/http server operates alongside another server that incorrectly accepts bare line feed characters. Successful exploitation could enable attackers to retrieve authorisation tokens and gain administrative control over affected devices.
Siemens SENTRON 7KT PAC1261 Data Manager devices are deployed globally in energy sector infrastructure. The devices manage power distribution and monitoring systems in critical facilities.
Siemens ProductCERT reported the vulnerability to CISA. The German industrial technology company has released version 2.1.0 to address the security flaw and recommends organisations update to the latest version immediately.
As an interim mitigation measure, CISA recommends organisations use encrypted protocols when communicating with affected devices. Siemens also advises protecting network access to devices with appropriate security mechanisms and operating them within protected IT environments.
Why It Matters
This critical vulnerability poses significant operational risk to energy infrastructure operators. The ability for attackers to gain administrative control over power management devices could lead to service disruptions or compromise of critical systems. With a CVSS score of 9.1 and global deployment, this represents a high-priority patching requirement for CISOs managing industrial control systems.
The HTTP request smuggling attack vector highlights ongoing security challenges in industrial IoT devices that rely on standard web technologies but may not implement proper security controls.
What To Do Now
- Identify all Siemens SENTRON 7KT PAC1261 Data Manager devices in your environment and verify current firmware versions
- Schedule immediate updates to version 2.1.0 or later following proper change management procedures
- Implement encrypted communication protocols for all affected devices as an interim mitigation
- Review network segmentation and access controls for industrial control system networks
