PatchSiren cyber security CVE debrief
CVE-2025-1390 Siemens CVE debrief
CVE-2025-1390 is a local privilege-escalation issue in the libcap PAM module pam_cap.so as described in Siemens and CISA advisories. In affected Siemens industrial products, parsing of /etc/security/capability.conf can incorrectly treat entries that do not start with “@” as group names, which may cause unintended users to inherit capabilities. Siemens’ remediation is to update to V3.3 or later for impacted products.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-02-25
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-02-25
Who should care
OT/ICS operators, Siemens product administrators, and Linux/system administrators responsible for affected RUGGEDCOM and SCALANCE deployments that use pam_cap and /etc/security/capability.conf.
Technical summary
The advisory states that pam_cap.so supports group names starting with “@”, but during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. If capability.conf is used to assign inherited privileges, this parsing error can grant a nonintended user an inherited capability set. The reported impact is local privilege escalation with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N (6.1 Medium).
Defensive priority
Medium to high for affected Siemens OT/Linux systems: the attack is local, but the impact includes privilege escalation and the issue affects privilege-handling configuration.
Recommended defensive actions
- Update affected Siemens products to V3.3 or later, per the vendor remediation guidance.
- Review any use of /etc/security/capability.conf and verify that privilege assignments only apply to intended users and groups.
- Limit local access and privileged shell access on affected systems until remediation is complete.
- Confirm whether the deployed firmware/product version is within the affected Siemens product list, especially after CISA’s later product-scope clarifications.
- Use defense-in-depth and least-privilege controls so a configuration parsing error cannot broadly elevate user capabilities.
Evidence notes
Primary source material is Siemens ProductCERT advisory SSA-089022 and CISA’s ICSA-26-043-06 republication. The supplied advisory text explicitly says pam_cap.so misparses capability.conf entries, potentially granting unintended inherited capabilities and enabling local privilege escalation. The remediation text in the source corpus specifies updating to V3.3 or later. CISA’s revision history shows the advisory was initially published on 2026-01-28 and updated through 2026-02-25, including scope clarifications for affected Siemens products.
Official resources
-
CVE-2025-1390 CVE record
CVE.org
-
CVE-2025-1390 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory release date: 2026-01-28. CISA republished the Siemens advisory and later updated it on 2026-02-25. The issue concerns a libcap PAM parsing flaw in pam_cap.so that can affect Siemens industrial products using capability.conf