CISA 2026-05-14

Siemens Siemens ROS#

CVE-2026-41551

Machine-generated analysis · WAYSCloud LLM

ROS# file_server before version 2.2.2 contains a relative path traversal vulnerability. The advisory recommends running the service only on trusted networks and with minimal user rights.

Context

ROS# is a software package for transferring URDF files between ROS systems. The vulnerability allows remote attackers to read or write arbitrary files accessible to the service user. The advisory notes this service was designed for specific file transfer tasks rather than continuous background operation. Mitigation includes using manual file transfer methods when possible.

Operator considerations

Check: inventory ROS# installations with file_server enabled
Isolate: restrict file_server to trusted networks only
Patch: update to ROS# version 2.2.2 or later
Log: monitor for unexpected file access patterns from file_server

From Cybersecurity and Infrastructure Security Agency ↗

ROS# contains a ROS service file_server, that before version 2.2.2 contains a path traversal vulnerability which could allow an attacker to access, i.e. read and write, arbitrary files, which are accessible with the user rights of the user that runs the service, on the system that hosts service. Siemens has released a new version for ROS# and recommends to update to the latest version.

The following versions of Siemens Siemens ROS# are affected:

ROS# vers:intdot/

Read the full advisory on CISA →