PatchSiren cyber security CVE debrief
CVE-2025-27398 Siemens CVE debrief
CVE-2025-27398 affects Siemens SCALANCE LPE9403. Siemens and CISA describe a path handling issue where special characters are not properly neutralized when interpreting user-controlled log paths. In the reported scenario, an authenticated, highly privileged remote attacker could leverage the flaw to execute a limited set of binaries already present on the device. CISA rates the issue LOW with CVSS 2.7, and the advisory was first published on 2025-03-11; the 2025-05-06 update is a revision that fixes typos, not a new vulnerability disclosure.
- Vendor
- Siemens
- Product
- SCALANCE LPE9403 (6GK5998-3GS00-2AC2)
- CVSS
- LOW 2.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-03-11
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-03-11
- Advisory updated
- 2025-05-06
Who should care
OT and ICS operators using Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2), especially teams that administer the device remotely or allow highly privileged authenticated access. Asset owners, OT security engineers, and patch management teams should review exposure and upgrade plans.
Technical summary
The advisory states that affected devices do not properly neutralize special characters when interpreting user-controlled log paths. That weakness can let a remote attacker with authentication and high privileges influence path interpretation enough to run a limited set of binaries already on the filesystem. The CVSS vector provided is AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N, which aligns with the advisory’s limited integrity impact and lack of confidentiality or availability impact.
Defensive priority
Low. This is a real product flaw with remote authenticated impact, but it requires high privileges, has limited execution scope, and is not listed as a CISA KEV item in the supplied data. Prioritize based on whether the device is reachable by privileged remote accounts and whether remediation can be scheduled with normal OT change controls.
Recommended defensive actions
- Upgrade Siemens SCALANCE LPE9403 to V4.0 or later, per the vendor remediation guidance.
- Review whether any highly privileged remote accounts are truly required for these devices, and remove or restrict them where possible.
- Restrict administrative access to trusted management networks and enforce strong authentication for privileged accounts.
- Monitor for unexpected log-path related activity or unusual execution of built-in binaries on the device.
- Validate the vendor advisory and maintenance window requirements before applying updates in an OT environment.
Evidence notes
All substantive claims here come from the supplied CISA CSAF advisory for ICSA-25-072-06 and its cited Siemens references. The advisory names the product as Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2), describes improper neutralization of special characters in user-controlled log paths, and gives the remediation of updating to V4.0 or later. The provided timeline shows initial publication on 2025-03-11 and a later revision on 2025-05-06 for typo fixes. No KEV listing, ransomware linkage, or exploit campaign was provided in the corpus.
Official resources
-
CVE-2025-27398 CVE record
CVE.org
-
CVE-2025-27398 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory ICSA-25-072-06 on 2025-03-11. The advisory was revised on 2025-05-06 with typos fixed; the underlying vulnerability disclosure date remains 2025-03-11.