Full Report
ROS# contains a ROS service file_server, that before version 2.2.2 contains a path traversal vulnerability which could allow an attacker to access, i.e. read and write, arbitrary files, which are accessible with the user rights of the user that runs the service, on the system that hosts service. Siemens has released a new version for ROS# and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Path Traversal in ROS# file_server
## CVE Details
- **CVE ID:** CVE-2026-41551
- **CVSS Score:** 9.1 (Critical) / 9.3 (Critical) under CVSS v4.0
- **CWE:** CWE-23 (Relative Path Traversal)
## Affected Systems
- **Products:** ROS# (Open-source libraries for C#/.NET ROS communication)
- **Versions:** All versions prior to V2.2.2
- **Configurations:** Systems running the `file_server` ROS service, typically used for transferring URDF files from a ROS host to a target system (such as Unity).
## Vulnerability Description
The `file_server` component in ROS# fails to properly sanitize user-supplied input. This lack of validation allows a remote attacker to perform a path traversal attack. By using special characters (e.g., `../`), an attacker can escape the intended directory and access, read, or write arbitrary files on the host system. The operations are executed with the permissions of the user account running the ROS service.
## Exploitation
- **Status:** Not explicitly reported as exploited in the wild; PoC not provided in advisory.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Attacker can read arbitrary files accessible to the service user)
- **Integrity:** High (Attacker can write/modfiy arbitrary files accessible to the service user)
- **Availability:** None reported (Note: CVSS vector indicates VA:N, though file overwrites can indirectly affect availability)
## Remediation
### Patches
- **Update to V2.2.2 or later:** Available via the official GitHub repository: hxxps[://]github[.]com/siemens/ros-sharp/releases/tag/2.2.2
### Workarounds
- **Restrict Network Access:** Run `file_server` only on trusted, isolated local networks.
- **Principle of Least Privilege:** Execute the service using a dedicated user account with minimal directory permissions.
- **Limit Run-time:** Do not run the service continuously in the background; execute it only during active file transfer tasks.
- **Manual Transfer:** Use manual file transfer methods instead of the `file_server` service whenever possible.
## Detection
- **Indicators of Compromise:** Monitor network traffic to the `file_server` for URI strings containing path traversal patterns (e.g., `%2e%2e%2f` or `../`).
- **Audit Logs:** Inspect file system access logs for the user account running the ROS service for unexpected file read/write operations outside the URDF directory.
## References
- **Siemens Security Advisory [SSA-357982]:** hxxps[://]cert-portal[.]siemens[.]com/productcert/html/ssa-357982[.]html
- **Siemens Industrial Security Guidelines:** hxxps[://]www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **Project Repository:** hxxps[://]github[.]com/siemens/ros-sharp