The ICAM A8000 RTU (Remote Terminal Unit) series is a modular family of devices for remote control and automation applications in all areas of energy supply. A path traversal vulnerability exists in the Siemens SICAM A8000 device CPCI85 firmware web server, which can be exploited by an attacker to traverse directories on the system and download arbitrary files. Privileges are elevated to the administrator role by probing the active session ID.