CVE-2025-30033 Siemens CVE debrief

Who should care

Organizations operating Siemens industrial automation software including SIMATIC, PCS 7, TIA Portal, WinCC, and related engineering tools. Critical infrastructure operators, manufacturing facilities, and OT security teams should prioritize assessment due to the broad product impact and potential for supply chain compromise during software installation.

Technical summary

The affected setup component in Siemens industrial software products is vulnerable to DLL hijacking (CWE-427). When a legitimate user installs an application using the affected setup component, an attacker with local access can cause execution of arbitrary code by placing a malicious DLL in a location that the installer searches before legitimate system directories. The vulnerability requires local access and user interaction but results in complete compromise of the host system (CVSS 3.1: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Defensive priority

HIGH

Recommended defensive actions

• Apply vendor-provided updates for affected Siemens products where available; consult Siemens ProductCERT advisory for specific product patch versions
• Harden application hosts to prevent local access by untrusted personnel
• Install applications only from empty directories to minimize presence of malicious DLLs
• Prioritize patching for internet-accessible or critical OT/ICS systems
• Implement application whitelisting and execution controls on engineering workstations
• Monitor for anomalous DLL loading behavior during software installation processes

Evidence notes

The CISA CSAF advisory ICSA-25-226-22, republished from Siemens ProductCERT SSA-282044, documents this vulnerability affecting Siemens industrial software products. The advisory has undergone 10 revision updates through February 2026, indicating ongoing vendor response and patch availability changes. The CVSS vector confirms local attack vector with user interaction required.

Official resources