CVE-2025-39787 Cert Portal CVE debrief

Who should care

OT/ICS teams operating Siemens SIMATIC CN 4100 systems, and administrators of any Linux-based firmware-loading workflow that may process untrusted MDT/ELF buffers.

Technical summary

The vulnerability is a bounds-checking flaw in mdt_loader's ELF header traversal. When the loader is used outside remoteproc, the ELF header may not be sanitized beforehand, so the code can read past the end of the firmware buffer while iterating header entries. The advisory also notes validation of e_phentsize and e_shentsize to ensure the traversal step size assumptions are correct. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (5.5, medium), indicating a local availability impact.

Defensive priority

Medium

Recommended defensive actions

• Confirm whether any deployed Siemens SIMATIC CN 4100 devices are on a version earlier than V5.0.
• Apply Siemens' remediation and move to V5.0 or later where feasible.
• If immediate upgrading is not possible, follow Siemens/CISA guidance for any available vendor backport or interim mitigation.
• Restrict firmware-loading and update interfaces to trusted administrators and trusted networks.
• Track asset inventory for Linux kernel components that parse firmware buffers or ELF headers from external sources.

Evidence notes

This debrief is based on CISA CSAF ICSA-26-134-10, published 2026-05-12 and republished on 2026-05-14 from Siemens ProductCERT SSA-032379. The advisory text states that the MDT loader may read past the end of the firmware buffer while iterating over the ELF header and that e_phentsize/e_shentsize are validated in the fix. The supplied advisory data lists CVSS 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), remediation to Siemens SIMATIC CN 4100 V5.0 or later, and no KEV entry.

Official resources