PatchSiren cyber security CVE debrief
CVE-2025-25252 Siemens CVE debrief
CVE-2025-25252 was publicly disclosed in a CISA CSAF advisory on 2025-02-11 and carries a CVSS 3.1 score of 4.8 (MEDIUM). The source record describes an insufficient session expiration issue that could let a remote attacker reuse a SAML record to access or reopen a terminated session. Because the supplied corpus also contains a product/description mismatch, teams should verify the Siemens advisory and the exact affected asset before applying remediation.
- Vendor
- Siemens
- Product
- RUGGEDCOM APE1808
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-11
- Original CVE updated
- 2026-03-12
- Advisory published
- 2025-02-11
- Advisory updated
- 2026-03-12
Who should care
Siemens RUGGEDCOM APE1808 operators, OT/ICS administrators, and security teams responsible for remote access, SAML identity flows, and session lifecycle controls.
Technical summary
The source advisory classifies the issue as CWE-613 (Insufficient Session Expiration). In the supplied record, exploitation requires possession of a user session's SAML record and may allow a remote attacker to access or reopen that session after it was terminated, including cases where an account was removed. The record’s CVSS vector is AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. The corpus also contains an internal inconsistency: the affected product tree names Siemens RUGGEDCOM APE1808, while the vulnerability narrative references FortiOS SSL VPN; this should be verified against the official Siemens/CISA advisory before remediation.
Defensive priority
Medium; prioritize if the affected system is used for remote access or if session/SAML records may be exposed or retained longer than intended.
Recommended defensive actions
- Confirm whether your deployed Siemens RUGGEDCOM APE1808 assets are actually covered by the advisory before taking action.
- Review and shorten session lifetime and invalidation behavior for any SAML-backed remote-access workflows.
- Invalidate active sessions and rotate or revoke associated authentication artifacts when accounts are removed or access is terminated.
- Apply the vendor-provided fix or update path only after verifying it matches the Siemens advisory and your device model.
- Monitor for unexpected session reuse or authentication events tied to recently terminated accounts.
- Use CISA and Siemens advisory pages to confirm the latest revision history and any updated mitigation guidance.
Evidence notes
Evidence is drawn from the supplied CISA CSAF source item for ICSA-25-044-06 and the linked Siemens ProductCERT advisory references. The record shows initial publication on 2025-02-11 and a republication update on 2026-03-12. The corpus also includes a notable mismatch: the affected product tree is Siemens RUGGEDCOM APE1808, but the vulnerability description mentions FortiOS SSL VPN, and the remediation text references Fortigate NGFW 7.4.7; these inconsistencies are flagged for verification rather than treated as settled product facts.
Official resources
-
CVE-2025-25252 CVE record
CVE.org
-
CVE-2025-25252 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICSA-25-044-06 on 2025-02-11; source record republished on 2026-03-12. No KEV listing was provided in the source corpus.