PatchSiren cyber security CVE debrief
CVE-2025-6020 Cert Portal CVE debrief
CVE-2025-6020 is a high-severity local privilege-escalation flaw attributed to linux-pam's pam_namespace module. In the supplied CISA/Siemens advisory, the issue is described as improper protection around user-controlled paths, which can let a local user gain root privileges through symlink attacks and race conditions. The advisory lists Siemens RUGGEDCOM ROX platforms as affected and recommends updating to V2.17.1 or later.
- Vendor
- Cert Portal
- Product
- Siemens RUGGEDCOM ROX MX5000 vers:intdot/<2.17.1 RUGGEDCOM ROX MX5000RE RUGGEDCOM ROX RX1400 RUGGEDCOM ROX RX1500 RUGGEDCOM ROX RX1501 RUGGEDCOM ROX RX1510 RUGGEDCOM ROX RX1511 RUGGEDCOM ROX RX1512 RUGGEDCOM ROX RX1524 RUGGEDCOM ROX RX1536 RUGGEDCOM ROX RX5000
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Organizations running the affected Siemens RUGGEDCOM ROX devices, especially industrial control and OT operators who allow local shell or administrative access. Security and operations teams responsible for Linux PAM maintenance, patch management, and hardening on these systems should prioritize review.
Technical summary
The advisory states that pam_namespace may access user-controlled paths without proper protection. Because the attack is local and requires low privileges, an attacker with access to the device can potentially manipulate path resolution through multiple symlink attacks and race conditions to escalate to root. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8 High), which reflects the expected impact on confidentiality, integrity, and availability once the flaw is successfully exploited.
Defensive priority
High. This is a local root escalation issue on affected OT equipment, and the advisory includes a vendor fix. Prioritize if any affected device permits local logins, maintenance access, or shared administrative workflows.
Recommended defensive actions
- Update affected Siemens RUGGEDCOM ROX systems to V2.17.1 or later as recommended in the advisory.
- Inventory where the affected product models and versions are deployed, and confirm exposure of local user access paths.
- Restrict local login and administrative access to trusted personnel only, and remove unnecessary accounts.
- Review hardening and least-privilege controls around PAM-related functionality and local filesystem access.
- Use CISA ICS recommended practices and defense-in-depth guidance to reduce the impact of local compromise.
- Validate remediation status against Siemens support guidance and the linked advisory references.
Evidence notes
The supplied source is CISA CSAF advisory ICSA-26-134-16, published 2026-05-12 and republished 2026-05-14 with Siemens ProductCERT SSA-577017 as the underlying vendor advisory. The advisory text identifies a linux-pam pam_namespace path-handling flaw, states that local users may elevate privileges to root via symlink attacks and race conditions, and recommends updating to V2.17.1 or later. The supplied metadata assigns CVSS 7.8 High with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Official resources
-
CVE-2025-6020 CVE record
CVE.org
-
CVE-2025-6020 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Based on the supplied CISA CSAF advisory published 2026-05-12 and republished 2026-05-14, which republishes Siemens ProductCERT SSA-577017. This debrief uses only the supplied advisory text and official reference links; no exploit details,