CVE-2026-28389 Cert Portal CVE debrief

Who should care

Siemens SIMATIC CN 4100 operators and maintainers, especially where systems process untrusted CMS or S/MIME content. Security teams responsible for software that calls CMS_decrypt() on attacker-controlled input should also review exposure and patch status.

Technical summary

The issue occurs during processing of a CMS EnvelopedData message using KeyAgreeRecipientInfo. The code examines the optional parameters field of KeyEncryptionAlgorithmIdentifier without checking whether it is present, leading to a NULL pointer dereference if the field is missing. The result is a crash/denial of service, not a confidentiality or integrity impact. The advisory states that OpenSSL FIPS modules in 3.6, 3.5, 3.4, 3.3, and 3.0 are not affected because the vulnerable code lies outside the FIPS module boundary.

Defensive priority

High

Recommended defensive actions

• Update Siemens SIMATIC CN 4100 to V5.0 or later.
• Identify any paths that process untrusted CMS EnvelopedData or S/MIME content and confirm whether CMS_decrypt() is reachable from attacker-controlled input.
• Limit or pre-validate untrusted CMS content before it reaches the affected parsing path, where operationally feasible.
• Review restart/crash monitoring for services that handle CMS data so a denial-of-service event is detected quickly.
• Use the official Siemens and CISA advisories to confirm product/version scope before scheduling remediation.

Evidence notes

This debrief is based on the CISA CSAF republication of Siemens ProductCERT advisory SSA-032379 for CVE-2026-28389. The source advisory was published on 2026-05-12 and republished/modified on 2026-05-14. The advisory explicitly describes a NULL pointer dereference in CMS EnvelopedData processing, a CVSS 3.1 score of 7.5 (HIGH), and remediation to V5.0 or later. It also states that the affected code is outside the OpenSSL FIPS module boundary.

Official resources