PatchSiren cyber security CVE debrief
CVE-2025-23365 Siemens CVE debrief
CVE-2025-23365 is a high-severity vulnerability in Siemens TIA Administrator that can let a low-privileged user trigger installations by overwriting cache files and modifying the downloads path. According to the CISA CSAF advisory and Siemens reference materials, that behavior can be abused to escalate privileges and execute arbitrary code. Siemens advises updating to version V3.0.6 or later. The advisory was published on 2025-07-08 and there is no evidence in the supplied corpus that this issue is in CISA KEV or associated with a known ransomware campaign.
- Vendor
- Siemens
- Product
- TIA Administrator
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-07-08
- Original CVE updated
- 2025-07-08
- Advisory published
- 2025-07-08
- Advisory updated
- 2025-07-08
Who should care
Organizations that use Siemens TIA Administrator, especially engineering workstations, shared local-user systems, and OT/ICS environments. Security teams should also care if the software is present on endpoints where low-privileged users can log in or influence local files and paths.
Technical summary
The supplied advisory describes a local-privilege scenario in which a low-privileged user can overwrite cache files and modify the downloads path to trigger installations. That can lead to privilege escalation and arbitrary code execution. The CVSS vector provided is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, with a score of 7.8 (High), indicating a local attack that requires low privileges but no user interaction and can have severe confidentiality, integrity, and availability impact.
Defensive priority
High for any environment running Siemens TIA Administrator, particularly where non-administrative users have local access or where engineering workstations are shared. Prioritize patching before broadening use of the affected system.
Recommended defensive actions
- Update Siemens TIA Administrator to V3.0.6 or later.
- Review where TIA Administrator is installed and confirm which hosts are exposed to low-privileged local users.
- Restrict local logon and file-system access on affected systems where practical.
- Monitor for unexpected installation activity, cache-file tampering, or unauthorized changes to the downloads path.
- Use the CISA and Siemens advisory references to validate remediation status and deployment timing.
Evidence notes
All core facts in this debrief are drawn from the supplied CISA CSAF advisory ICSA-25-191-03 and its Siemens references: low-privileged users can overwrite cache files and modify the downloads path to trigger installations, leading to privilege escalation and arbitrary code execution. The supplied corpus also provides the CVSS score/vector and the remediation to update to V3.0.6 or later. No KEV listing, ransomware linkage, or affected-version range beyond the remediation version is stated in the supplied source set.
Official resources
-
CVE-2025-23365 CVE record
CVE.org
-
CVE-2025-23365 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-07-08 in CISA advisory ICSA-25-191-03 and the corresponding Siemens security advisory for TIA Administrator.