PatchSiren cyber security CVE debrief
CVE-2025-2884 Siemens CVE debrief
CVE-2025-2884 is an out-of-bounds read in the TCG TPM 2.0 reference implementation’s CryptHmacSign helper function. In the Siemens advisory republished by CISA, the issue affects multiple SIMATIC industrial PCs and related devices, with fixes available for some product lines and no fix planned or available for others.
- Vendor
- Siemens
- Product
- SIMATIC CN 4100
- CVSS
- MEDIUM 6.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-14
- Original CVE updated
- 2026-04-21
- Advisory published
- 2026-04-14
- Advisory updated
- 2026-04-21
Who should care
OT/ICS teams, Siemens SIMATIC administrators, and plant or maintenance personnel responsible for affected devices should pay attention, especially where local interactive access is possible.
Technical summary
The supplied advisory says CryptHmacSign does not validate the signature scheme against the signature key’s algorithm, which can lead to an out-of-bounds read (CWE-125). The CVSS vector provided by the source is AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H, so the issue is local, requires low privileges and user interaction, and can impact confidentiality and availability. The source corpus ties the issue to Siemens ProductCERT advisory SSA-628843 and CISA advisory ICSA-26-111-01.
Defensive priority
Medium. The flaw is not network-reachable per the supplied CVSS vector, but it affects a broad set of Siemens SIMATIC products and some affected models have no fix available or no fix planned, so remediation and compensating controls should be prioritized on any exposed or routinely accessed devices.
Recommended defensive actions
- Inventory Siemens SIMATIC systems to determine whether any listed products and versions are present in your environment.
- Apply the Siemens-referenced updates where available: V21.01.20, V29.01.09, V30.01.10, V32.01.09, or V34.01.02, depending on the affected product line.
- For products with no fix available or no fix planned, implement compensating controls from CISA and Siemens defense-in-depth guidance.
- Restrict local and interactive access to affected systems to trusted, authorized maintenance personnel only.
- Review Siemens ProductCERT advisory SSA-628843 and CISA advisory ICSA-26-111-01 for product-specific remediation guidance.
- Track remediation exceptions and verify firmware/software versions after maintenance windows.
Evidence notes
This debrief is based only on the supplied CISA CSAF source item for ICSA-26-111-01, the Siemens ProductCERT references listed in that advisory, and the official CVE record link. The source corpus does not include exploit details, incident reporting, or a KEV listing for this CVE.
Official resources
-
CVE-2025-2884 CVE record
CVE.org
-
CVE-2025-2884 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE-2025-2884 was published on 2026-04-14. CISA republished the advisory on 2026-04-21 with Siemens ProductCERT SSA-628843 content. No KEV entry is listed in the supplied timeline.