PatchSiren cyber security CVE debrief
CVE-2025-27397 Siemens CVE debrief
CVE-2025-27397 affects Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2) and is described by CISA as a log path handling weakness. The advisory states that user-controlled paths used to write logs and read them back are not properly limited. As a result, an authenticated, highly privileged remote attacker could read and write arbitrary files on the filesystem if the malicious path ends with "log". The advisory was published on 2025-03-11 and later revised on 2025-05-06 for typo fixes; the underlying risk remains the same. Siemens lists firmware update to V4.0 or later as the remediation.
- Vendor
- Siemens
- Product
- SCALANCE LPE9403 (6GK5998-3GS00-2AC2)
- CVSS
- LOW 3.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-03-11
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-03-11
- Advisory updated
- 2025-05-06
Who should care
Operators and administrators of the affected Siemens SCALANCE LPE9403 device, especially OT/ICS teams that manage privileged remote access or depend on device logging behavior. Asset owners should also review anyone who can authenticate with high privileges to the device.
Technical summary
This is a path restriction failure in the device’s log read/write handling. Because the application does not sufficiently constrain user-controlled paths, a privileged authenticated remote actor may be able to direct log operations at unintended filesystem locations. The source description limits the condition to paths ending in "log", but still notes potential arbitrary file read/write impact. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N (3.8, low).
Defensive priority
Low to moderate. The CVSS score is low and exploitation requires authenticated, high-privilege remote access, but the impact includes arbitrary file read/write on an OT device. Prioritize remediation if the device is remotely administered, exposed across trust boundaries, or used in environments where privileged accounts are shared.
Recommended defensive actions
- Update Siemens SCALANCE LPE9403 to V4.0 or later, per Siemens remediation guidance.
- Restrict remote access to the device’s management interfaces to only necessary administrators and trusted networks.
- Review privileged accounts and remove unnecessary high-privilege access to the device.
- Audit log configuration and filesystem permissions so user-controlled paths cannot affect unintended files.
- Validate deployed firmware against the fixed version and track any Siemens or CISA advisory updates.
Evidence notes
The supplied CISA CSAF advisory ICSA-25-072-06 states that affected devices do not properly limit user-controlled paths to which logs are written and from where they are read, enabling read/write of arbitrary files when the malicious path ends with "log". The same source identifies Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2) as the affected product and lists remediation as updating to V4.0 or later. Timeline fields show publication on 2025-03-11 and a later revision on 2025-05-06 that fixed typos. No CISA KEV date is present in the supplied data.
Official resources
-
CVE-2025-27397 CVE record
CVE.org
-
CVE-2025-27397 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed through CISA CSAF on 2025-03-11 (ICSA-25-072-06) with a later 2025-05-06 revision for typo fixes. The supplied data does not list a CISA KEV entry.