CVE-2025-25267 Siemens CVE debrief

Who should care

Organizations using Siemens Tecnomatix Plant Simulation V2302 or V2404, especially in environments where simulation models may access sensitive local files or shared data, should prioritize this issue.

Technical summary

The advisory describes an access-control weakness in which the simulation model can reach files beyond its intended scope. The supplied CVSS vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates a local attack with no privileges or user interaction required and a primary confidentiality impact. The affected products are Tecnomatix Plant Simulation V2302 and V2404, with vendor remediation to V2302.0021 or later and V2404.0010 or later.

Defensive priority

Medium

Recommended defensive actions

• Update Tecnomatix Plant Simulation V2302 to version 2302.0021 or later, and V2404 to version 2404.0010 or later.
• Review simulation model file access paths and permissions to ensure models can only access the minimum required files.
• Apply Siemens and CISA industrial control system defense-in-depth guidance where the product is deployed.

Evidence notes

All substantive claims in this debrief are drawn from the supplied CISA CSAF advisory ICSA-25-072-08 and the Siemens ProductCERT references listed in the source item. The affected products, description, remediation versions, CVSS vector, publication date, and revision history are taken from the provided corpus. No KEV listing was provided for this CVE.

Official resources