CVE-2026-41551

Vulnerability

Details A path traversal vulnerability has been identified in ROS# (ROS#), a .NET library for ROS. All versions prior to V2.2.2 are affected. The flaw exists in the file_server ROS service, where user-supplied input is not properly sanitized. This allows an attacker to break out of the intended directory and access arbitrary files on the system [1].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted requests to the file_server service. No authentication is required, and the attacker can be remote. The service runs with the privileges of the user hosting the service, so the attacker can read and write any file accessible to that user on the host machine [1].

Impact

Successful exploitation gives the attacker the ability to read sensitive information (e.g., configuration files, credentials) and modify or delete arbitrary files. This could lead to complete compromise of the system depending on the service user's permissions. The CVSS v3.1 base score is 9.1, indicating critical severity [1].

Mitigation

Siemens has released version V2.2.2 of ROS# that addresses the vulnerability. Users are strongly advised to update to the latest version. Additionally, following the mitigations outlined in Siemens security advisory SSA-357982 is recommended [1].