CVE-2026-41551
CWE-23Published: May 12, 2026· Updated: May 12, 2026
Official Description
A vulnerability has been identified in ROS# (All versions < V2.2.2). Affected versions contain a path traversal vulnerability because user input is not properly sanitized.
This could allow a remote attacker to access arbitrary files on the device.
Technical Analysis
CVE-2026-41551 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), with a CVSS base score of 9.1.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
News & Research Mentioning CVE-2026-41551
View CSAF Summary ROS# contains a ROS service file_server, that before version 2.2.2 contains a path traversal vulnerability which could allow an attacker to access, i.e. read and write, arbitrary files, which are accessible with the user rights of the user that runs the service, on the system that hosts service. Siemens has released a new version for ROS# and recommends to update to the latest version. The following versions of Siemens Siemens ROS# are affected: ROS# vers:intdot/<2.2.2 CVSS Vendor Equipment Vulnerabilities v3 9.1 Siemens Siemens Siemens ROS# Relative Path Traversal Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + [xlite_meta score:73 src:CISA Alerts xlite_fp:9ad04bfc03e54a4e532165ba387cf4eef58b45b3519a8d1fcfa56432078773d6]
All References (1)
Quick Facts
Known Threat Actors
Related CVEs (CWE-23)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-41551 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts