PatchSiren cyber security CVE debrief
CVE-2025-27127 Siemens CVE debrief
CVE-2025-27127 is a medium-severity Siemens issue affecting TIA Project-Server and multiple TIA Portal versions. A user with contributor privileges can upload a malicious project into the document root and trigger a denial of service. Siemens and CISA published the advisory on 2025-07-08, with CISA noting a later update on 2025-08-12 that added a fix note for TIA Portal V19 Update 4.
- Vendor
- Siemens
- Product
- TIA Project-Server
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-07-08
- Original CVE updated
- 2025-08-12
- Advisory published
- 2025-07-08
- Advisory updated
- 2025-08-12
Who should care
Administrators and operators of Siemens TIA Project-Server or TIA Portal deployments, especially environments that allow contributor-level project uploads or expose project management interfaces to trusted-but-broad internal users.
Technical summary
The vulnerability is an improper handling of uploaded projects in the document root. The attack requires contributor privileges and does not require user interaction. According to the supplied CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L), the primary impact is availability, consistent with a service disruption rather than code execution or data compromise. The source corpus identifies affected products across TIA Project-Server and TIA Portal V17/V18/V19/V20, with vendor remediation varying by product line.
Defensive priority
Medium. The issue is network-reachable and low-privilege, but the impact is limited to availability and the vendor guidance indicates product-specific remediation paths, including some versions with no fix planned.
Recommended defensive actions
- Review whether contributor roles can upload projects into the document root and restrict that capability to the minimum necessary users.
- Apply Siemens remediation for affected versions that have fixes: TIA Project-Server V2.1.1 or later, TIA Portal V19 Update 4 or later, and TIA Portal V20 Update 3 or later.
- For versions listed as having no fix planned in the advisory, plan compensating controls such as tighter role separation, upload restrictions, and service hardening.
- Monitor the affected service for abnormal crashes or repeated upload-related failures that could indicate attempted disruption.
- Validate exposure using the Siemens advisory and CISA bulletin to confirm which deployed product versions are in scope.
Evidence notes
The description and affected-product mapping come from the supplied CISA CSAF source item and its linked Siemens advisory. The advisory states: 'The affected application improperly handles uploaded projects in the document root. This could allow an attacker with contributor privileges to cause denial of service by uploading a malicious project.' The source corpus lists affected products as TIA Project-Server, TIA Project-Server V17, and TIA Portal V17/V18/V19/V20. Remediation in the corpus is product-specific: no fix planned for TIA Project-Server V17, TIA Portal V17, and TIA Portal V18; fixes are available for TIA Project-Server V2.1.1+, TIA Portal V19 Update 4+, and TIA Portal V20 Update 3+. The supplied CVSS vector indicates network access, low privileges, no user interaction, and availability impact only.
Official resources
-
CVE-2025-27127 CVE record
CVE.org
-
CVE-2025-27127 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-07-08 in Siemens advisory SSA-460466 and CISA ICS advisory ICSA-25-191-05. The supplied source revision history shows a later update on 2025-08-12 adding a fix note for TIA Portal V19 Update 4.