Executive Summary

CVE-2026-28388 aggregates multiple memory safety defects in the Siemens SIMATIC CN 4100 communication node, including NULL pointer dereference, reachable assertion, use after free, and out-of-bounds write conditions that an attacker can trigger against network-facing services. Because the CN 4100 functions as a communication backbone between control cells and higher-level networks, exploitation can sever or manipulate traffic paths that carry process control and monitoring data.

Technical Exposure Breakdown

The disclosed defect class is consistent with parser or protocol handling faults reachable over the network interface. A reachable assertion and NULL pointer dereference both terminate in denial of service, taking the affected service or the device down. The use after free and out-of-bounds write are the more severe primitives. An out-of-bounds write against a device running privileged firmware is the kind of condition that turns availability loss into potential code execution, and a use after free can be shaped into the same outcome depending on allocator behavior.

The vendor advisory lists SIMATIC CN 4100 versions below 5.0 as affected. The source records a vendor equipment CVSS of 9.6 alongside a base score of 7.5. That gap matters. The lower score assumes network adjacency and denial of service impact. The higher figure reflects the operational reality that a compromised communication node sits at a chokepoint. Treat the 9.6 as the number that governs your risk decision, not the 7.5.

Attack conditions depend on reachability. If the CN 4100 management or communication interfaces are exposed to a routable segment, the barrier to triggering these flaws is low. No authentication is required for a raw protocol crash in most defects of this shape. The distinguishing factor between nuisance and incident is whether the memory corruption primitives can be weaponized beyond a crash.

OT Impact and Compliance Risk

Physically, the failure mode is loss of communication. When a CN 4100 stops forwarding traffic, operators lose visibility into downstream cells and any control action routed through the node halts. In continuous process environments this is not a soft failure. Loss of view and loss of control against running physical equipment forces conservative fallback, which often means a shutdown. In water and wastewater, that translates to loss of SCADA telemetry across treatment stages.

Compliance exposure is direct. Under IEC 62443, an unpatched communication node with reachable network faults undermines zone and conduit segmentation assumptions, specifically the SR requirements around network integrity and denial of service resilience. For NERC CIP registered entities, a BES Cyber Asset or associated communication device carrying this exposure feeds directly into CIP-007 patch management timelines and CIP-010 configuration baselines. Pipeline operators under TSA SD-02C must account for this within their required network segmentation and access control measures, and any device bridging IT and OT zones is squarely in scope. Water utilities operating under AWIA 2018 risk and resilience obligations should log this as a control system vulnerability affecting monitored assets.

Compensating Controls

Do not treat the vendor update as an immediate action. Communication nodes carry live traffic and firmware updates on these devices require a maintenance window and validation against your specific topology. Sequence the patch properly.

BreachSpider tracks Siemens SIMATIC advisories and exploitation signals across our database of 350,000+ CVEs and 25,000+ ICS CVEs, so operators can prioritize CVE-2026-28388 against their own exposed asset inventory rather than a generic severity number.