PatchSiren cyber security CVE debrief
CVE-2025-27587 Siemens CVE debrief
Siemens’ advisory, republished by CISA as ICSA-26-043-06, ties CVE-2025-27587 to OpenSSL 3.0.0 through 3.3.2 on PowerPC-based systems used in Siemens OT products including RUGGEDCOM RST2428P and the SCALANCE family. The source describes a Minerva-style timing side-channel during EVP_DigestSign operations that could, under the conditions described, help an attacker infer nonce-related information and potentially recover a private key. Siemens’ remediation guidance is to update to version 3.3 or later where supported. The advisory also notes that the CVE is disputed because the timing signal is extremely small and is described as requiring an attacker process on the same physical system, which OpenSSL considers outside its threat model.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-02-25
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-02-25
Who should care
OT operators, security teams, and maintenance owners responsible for Siemens RUGGEDCOM RST2428P, SCALANCE devices, or any PowerPC-based embedded systems running OpenSSL 3.0.0 through 3.3.2. This is most relevant where local execution or same-host co-residency is plausible.
Technical summary
The supplied description says the issue is a timing side-channel in OpenSSL on PowerPC architecture. It involves measuring signing time for random messages through EVP_DigestSign, then using statistical comparison of signatures associated with different nonce sizes to infer information about the private key. The source also states the signal is very small and, per the dispute note, is not feasible to detect without an attacker process on the same physical system.
Defensive priority
Medium; remediate on affected Siemens firmware during the next planned maintenance window, with higher urgency if the deployment uses PowerPC and locally reachable execution contexts.
Recommended defensive actions
- Inventory Siemens RUGGEDCOM and SCALANCE assets to confirm whether any affected firmware embeds OpenSSL 3.0.0 through 3.3.2 on PowerPC.
- Apply Siemens’ recommended update to version 3.3 or later where supported.
- Validate the exact firmware and OpenSSL build in use before scheduling downtime, since the advisory scope is product- and architecture-specific.
- Reduce opportunities for same-system co-residency and local code execution on affected hosts where possible.
- Track Siemens ProductCERT SSA-089022 and CISA ICSA-26-043-06 for revisions or product-scope clarifications.
- Document residual risk if a device cannot be upgraded immediately and the timing side-channel is judged infeasible in your environment.
Evidence notes
This debrief is based on the supplied CISA CSAF source item for ICSA-26-043-06, which republishes Siemens ProductCERT SSA-089022. The source metadata lists Siemens RUGGEDCOM RST2428P and multiple SCALANCE products, and the remediation section says to update to V3.3 or later for affected products. The description explicitly says the CVE is disputed and that detection would require an attacker process on the same physical system. Timing context uses the supplied advisory publish date of 2026-01-28 and update date of 2026-02-25.
Official resources
-
CVE-2025-27587 CVE record
CVE.org
-
CVE-2025-27587 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published by the advisory source on 2026-01-28 and updated on 2026-02-25, this issue is presented as a disputed OpenSSL PowerPC timing side-channel affecting Siemens OT products. The vendor remediation points to version 3.3 or later where a