CISA 2026-05-14

Siemens SENTRON 7KT PAC1261 Data Manager

CVE-2025-22871

Machine-generated analysis · WAYSCloud LLM

The advisory states the vulnerability permits request smuggling in the web server of an energy sector device. This can lead to administrative control via stolen authorization tokens.

Context

The Siemens SENTRON 7KT PAC1261 Data Manager is a device used in the energy sector. The advisory describes a vulnerability in its web server that could allow an attacker to gain administrative control. The issue originates from the Go net/http package improperly accepting a bare LF as a line terminator in chunked data.

Operator considerations

Patch: Update to SENTRON 7KT PAC1261 Data Manager V2.1.0 or later.
Isolate: Protect network access to these devices with appropriate mechanisms.

From Cybersecurity and Infrastructure Security Agency ↗

The web server in SENTRON 7KT PAC1261 Data Manager Before V2.1.0 contains a request smuggling vulnerability in the Go Project's net/http package that could allow an attacker to retrieve authorization tokens that can be used to gain administrative control over the device. Siemens has released a new version for SENTRON 7KT PAC1261 Data Manager and recommends to update to the latest version.

The following versions of Siemens SENTRON 7KT PAC1261 Data Manager are affected:

SENTRON 7KT PAC1261 Data Manager vers:intdot/

Read the full advisory on CISA →