CVE-2023-39810 Siemens CVE debrief

Who should care

Siemens SINEC OS administrators, OT security teams, and maintenance personnel responsible for the listed RUGGEDCOM and SCALANCE devices should review this advisory and confirm whether their firmware is affected.

Technical summary

The source advisory attributes CVE-2023-39810 to BusyBox v1.33.2 CPIO processing, where archive handling can permit directory traversal. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L, which indicates a local attack path requiring user interaction and with primary integrity impact. CISA’s republication history also notes a clarification that only SINEC OS firmware is impacted across the listed Siemens products.

Defensive priority

Medium

Recommended defensive actions

• Update affected Siemens products to SINEC OS firmware V3.3 or later using Siemens ProductCERT guidance.
• Inventory the listed Siemens device models and verify which firmware versions are actually deployed before scheduling maintenance.
• Review any local file import, archive extraction, or service workflows that could expose BusyBox CPIO processing to untrusted content.
• Apply ICS defense-in-depth controls on engineering and maintenance access paths, including least privilege and strong account separation.
• Track Siemens advisory SSA-089022 and CISA ICSA-26-043-06 for any follow-on clarifications or product mapping updates.

Evidence notes

This debrief is based on the supplied CISA CSAF republication of Siemens ProductCERT advisory SSA-089022 (ICSA-26-043-06). The source description states: 'An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.' The embedded revision history shows initial publication on 2026-01-28, a 2026-02-24 update that clarified only SINEC OS firmware is impacted, and a 2026-02-25 latest republication. The remediation field directs affected products to V3.3 or later.

Official resources