PatchSiren cyber security CVE debrief
CVE-2024-47875 Siemens CVE debrief
CVE-2024-47875 is a critical issue published by CISA for Siemens COMOS, with the advisory description pointing to a DOMPurify nesting-based mXSS weakness. The source record ties the issue to Siemens COMOS V10.4, V10.4.5, V10.5, and V10.6 product lines, and lists fixed releases that should be deployed as soon as practical. Because the CVSS vector is network-reachable and requires no privileges or user interaction, this should be treated as a high-priority remediation item for any exposed COMOS deployment.
- Vendor
- Siemens
- Product
- COMOS V10.4
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-09
- Original CVE updated
- 2026-03-12
- Advisory published
- 2025-12-09
- Advisory updated
- 2026-03-12
Who should care
Siemens COMOS administrators, OT/industrial engineering teams, application owners using COMOS, and vulnerability management teams responsible for engineering workstations or servers that host COMOS. Security teams should also review any integrations or web-facing services that rely on the affected COMOS deployment.
Technical summary
The advisory text describes a DOMPurify nesting-based mXSS condition, indicating a cross-site scripting sanitation flaw in a DOM-based HTML/SVG/MathML sanitization path. In the Siemens advisory context, CISA maps this to Siemens COMOS and lists affected product lines. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H, which indicates network attackability, low complexity, no privileges, no user interaction, and high integrity/availability impact with changed scope. The source revision history shows subsequent updates adding fixes for COMOS V10.4.5 and COMOS V10.6.
Defensive priority
Critical. The combination of network reachability, no privileges, no user interaction, and high impact makes this a priority patch for affected COMOS environments.
Recommended defensive actions
- Update Siemens COMOS to V10.4.5 or later for the V10.4 line, per the vendor remediation guidance.
- Update Siemens COMOS to V10.5.2 or later where that product line applies, per the vendor remediation guidance.
- Apply the latest Siemens ProductCERT guidance and confirm whether your deployment is among the affected COMOS versions listed in the advisory.
- Inventory any COMOS instances exposed to broader internal networks or shared engineering environments and prioritize them for remediation.
- Review compensating controls and apply CISA ICS recommended practices while patching is scheduled.
Evidence notes
Source corpus ties the CVE to Siemens COMOS via the CISA CSAF advisory ICSA-26-043-03 and Siemens ProductCERT SSA-212953 references. The advisory description itself references DOMPurify and a nesting-based mXSS condition, while the vendor/product context is Siemens COMOS; this should be treated as an advisory-context mapping rather than as a standalone DOMPurify package bulletin. Publication date used here is 2025-12-09, with later advisory updates on 2026-02-10 and 2026-03-10/2026-03-12 reflected in the supplied timeline.
Official resources
-
CVE-2024-47875 CVE record
CVE.org
-
CVE-2024-47875 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory published by CISA on 2025-12-09 and updated through 2026-03-12, based on Siemens ProductCERT advisory SSA-212953.