PatchSiren cyber security CVE debrief
CVE-2025-39701 Cert Portal CVE debrief
CVE-2025-39701 is a firmware-update validation issue described in a CISA-republished Siemens advisory. The advisory text says the driver should use the security-version-number check instead of the runtime version check, because the old logic could cause a firmware update to fail when the update binary has a lower runtime version number than the installed one. Source materials associate the issue with Siemens SIMATIC CN 4100 versions earlier than V5.0, and the provided remediation is to update to V5.0 or later.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers responsible for Siemens SIMATIC CN 4100 deployments, especially environments that rely on firmware update workflows. Security teams should also care because the source advisory ties the issue to an industrial-control/OT product and the CVSS vector indicates local, low-privilege conditions with high availability impact.
Technical summary
The source advisory describes a logic error in the ACPI pfr_update driver update path: the code checks runtime version rather than security-version-number semantics. That mismatch can block legitimate firmware updates when the package's runtime version is lower even though the security version is appropriate. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which aligns with a local issue that primarily affects availability rather than confidentiality or integrity.
Defensive priority
Medium. The issue is not marked as KEV and the provided vector indicates local access is required, but it can interfere with firmware maintenance and availability. Treat it as a patch-planning item for affected Siemens deployments and verify whether the advisory's product scope applies to your environment.
Recommended defensive actions
- Confirm whether Siemens SIMATIC CN 4100 systems in your environment are affected by the advisory scope 'vers:intdot/<5.0'.
- Apply the vendor remediation and update to V5.0 or later as cited in the advisory.
- Review firmware update validation procedures to ensure security-version-number checks are used where applicable.
- Retest update workflows after patching to confirm legitimate firmware packages are accepted.
- Track the CISA/Siemens advisory for any follow-up clarifications or revised applicability guidance.
Evidence notes
CISA's republished advisory states: 'The security-version-number check should be used rather than the runtime version check for driver updates.' It also lists the affected product as 'Siemens SIMATIC CN 4100 vers:intdot/<5.0' and the remediation as 'Update to V5.0 or later version.' The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and a high availability impact. The vendor/product mapping in the source is low-confidence in the provided enrichment and should be reviewed before broad application.
Official resources
-
CVE-2025-39701 CVE record
CVE.org
-
CVE-2025-39701 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory published 2026-05-12 and republished/modified 2026-05-14. No KEV listing was provided in the source corpus.