CVE-2025-0725 Siemens CVE debrief

Who should care

Operators and maintainers of Siemens industrial networking and OT devices listed in the advisory, especially environments running SINEC OS firmware on RUGGEDCOM RST2428P and related SCALANCE product lines. This matters most where devices may process untrusted HTTP traffic or rely on the affected libcurl/zlib combination.

Technical summary

The issue is described as occurring when libcurl is configured for automatic gzip decompression via CURLOPT_ACCEPT_ENCODING and uses zlib 1.2.0.3 or older. Under those conditions, an attacker-controlled integer overflow can cause libcurl to write beyond a buffer, creating a buffer overflow condition. The CVSS v3.1 vector supplied is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, which indicates network reachability, low complexity, no privileges, and no user interaction.

Defensive priority

High

Recommended defensive actions

• Apply the Siemens remediation and update affected devices to V3.3 or later.
• Inventory Siemens products against the advisory’s affected product list and verify whether SINEC OS firmware is in use.
• Reduce exposure of affected OT devices by segmenting networks and limiting unnecessary HTTP access to managed interfaces.
• Follow CISA industrial control system defense-in-depth and recommended practices while patching is being planned or deployed.

Evidence notes

Source evidence comes from CISA CSAF advisory ICSA-26-043-06 and Siemens ProductCERT advisory SSA-089022. The supplied advisory text states that automatic gzip decompression of content-encoded HTTP responses with CURLOPT_ACCEPT_ENCODING, using zlib 1.2.0.3 or older, can lead to an attacker-controlled integer overflow and buffer overflow. The remediation field recommends updating to V3.3 or later for the affected product sets. CISA published the advisory on 2026-01-28 and republished/updated it on 2026-02-12, 2026-02-24, and 2026-02-25.

Official resources