CVE-2025-1501 Siemens CVE debrief

Who should care

Organizations operating Siemens RUGGEDCOM APE1808 devices with CMC versions prior to 25.1.0, particularly those in industrial control system (ICS) environments where network trace data may contain sensitive operational information. Security teams responsible for access control policies and OT network segmentation should prioritize this fix.

Technical summary

The vulnerability exists in the Request Trace and Download Trace functionalities of CMC (Central Management Console) versions prior to 25.1.0. A specific access restriction is not properly enforced for users with limited privileges, allowing authenticated users to request and download trace files that may contain unauthorized network data. The attack vector is network-based with low attack complexity, requiring low privileges and no user interaction. The confidentiality impact is low with no integrity or availability impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade Nozomi Guardian / CMC to V25.4.0. Note that using the Web GUI may have errors during upgrade; it is recommended to use the CLI. Contact customer support to receive patch and update information.
• Use internal firewall features to limit access to the web management interface.
• Follow CISA ICS recommended practices for defense in depth and network segmentation.

Evidence notes

The vulnerability affects RUGGEDCOM APE1808 with CMC before 25.1.0. CISA republished the Siemens ProductCERT SSA-978177 advisory on 2026-01-14. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N with a score of 4.3 (MEDIUM).

Official resources