PatchSiren cyber security CVE debrief
CVE-2021-41990 Siemens CVE debrief
CISA published advisory ICSA-25-259-03 for CVE-2021-41990 on 2025-09-16. The supplied advisory text says the issue is a remote integer overflow in strongSwan’s gmp plugin before version 5.9.4, reachable via a crafted certificate with an RSASSA-PSS signature. Siemens’ affected-product list spans SIMATIC NET, SINEMA Remote Connect Server, SCALANCE, RUGGEDCOM, and related devices. The stated impact is availability only; the advisory says remote code execution cannot occur.
- Vendor
- Siemens
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-16
- Original CVE updated
- 2025-09-16
- Advisory published
- 2025-09-16
- Advisory updated
- 2025-09-16
Who should care
OT/ICS operators and administrators responsible for Siemens devices listed in the advisory, especially environments that use strongSwan-based certificate handling or accept remote initiators. Network defenders and asset owners should also care if these products are exposed to untrusted networks or are used as remote-access gateways.
Technical summary
The vulnerability is described as a remote integer overflow in strongSwan’s gmp plugin when processing a certificate containing an RSASSA-PSS signature. The example trigger in the advisory is an unrelated self-signed CA certificate sent by an initiator. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting network reachability and high availability impact without confidentiality or integrity impact. The advisory explicitly states that remote code execution cannot occur.
Defensive priority
High for any affected Siemens deployment that accepts untrusted remote connections or processes external certificates; medium otherwise. Prioritize internet-facing, remote-access, and cross-site OT connectivity paths first, then schedule routine maintenance for isolated systems.
Recommended defensive actions
- Inventory Siemens products named in the advisory and confirm whether any instance uses strongSwan versions earlier than 5.9.4.
- Apply the Siemens-recommended remediation or firmware/software update path for each affected product family; the advisory specifically notes update guidance for some SCALANCE models to V7.1 or later.
- Restrict network exposure to affected devices and limit who can initiate remote sessions or present certificates to them.
- Place affected devices behind appropriate OT network controls and follow Siemens operational security guidance for protected environments.
- Use the linked Siemens security advisory SSA-539476 for product-specific remediation details and verify maintenance windows before making changes.
- Monitor vendor and CISA advisories for any updates or clarifications related to this CVE.
Evidence notes
This debrief follows the supplied CISA CSAF advisory text and linked Siemens remediation references. The source corpus includes a title/description mismatch: the advisory title names Siemens SIMATIC NET CP, SINEMA, and SCALANCE, while the vulnerability description attributes the flaw to strongSwan’s gmp plugin. The product list in the CSAF advisory supports Siemens OT device scope, and the description explicitly limits impact to availability with no remote code execution.
Official resources
-
CVE-2021-41990 CVE record
CVE.org
-
CVE-2021-41990 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published advisory date used here is 2025-09-16 from the supplied timeline and source metadata. No KEV entry or ransomware-campaign linkage was provided in the source corpus.