PatchSiren cyber security CVE debrief
CVE-2025-31929 Siemens CVE debrief
CVE-2025-31929 affects multiple Siemens VersiCharge AC Series EV charger models. According to the CISA CSAF advisory and Siemens product advisory, the affected devices do not contain an immutable root of trust in M0 hardware. A physical attacker could use that weakness to execute arbitrary code. Siemens lists no fix planned for the affected products.
- Vendor
- Siemens
- Product
- IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0)
- CVSS
- MEDIUM 4.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-13
- Original CVE updated
- 2025-05-13
- Advisory published
- 2025-05-13
- Advisory updated
- 2025-05-13
Who should care
Operators, owners, and maintainers of the affected Siemens VersiCharge AC Series EV chargers should care, especially sites where devices are physically accessible to unauthorized persons or where tampering risk is elevated.
Technical summary
The issue is a hardware trust-anchor weakness: the affected devices lack an immutable root of trust in M0 hardware. The advisory states that an attacker with physical access could leverage this condition to execute arbitrary code. The published CVSS vector is AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N, which aligns with a physical, high-complexity attack that primarily impacts integrity.
Defensive priority
Medium. The attack requires physical access, but the consequence can include arbitrary code execution and Siemens indicates no fix is planned. Prioritize for environments where chargers are exposed, unattended, or difficult to physically secure.
Recommended defensive actions
- Confirm whether any Siemens charger models in your fleet match the 38 affected product variants listed in the advisory.
- Restrict and monitor physical access to charging equipment and related service ports or enclosures.
- Apply defense-in-depth controls recommended for ICS/OT assets, including asset inventory, access control, logging, and tamper detection where available.
- Review Siemens and CISA advisories for any updated guidance or replacement options, since the advisory states no fix is planned.
- Use the CISA ICS recommended practices and defense-in-depth guidance to compensate for the lack of a vendor patch.
- Treat the affected chargers as higher risk in sites with public, shared, or otherwise unsupervised installation locations.
Evidence notes
The source corpus ties this CVE to Siemens advisory SSA-556937 and CISA advisory ICSA-25-135-08, published on 2025-05-13. The advisory description states: “Affected devices do not contain an Immutable Root of Trust in M0 Hardware. An attacker with physical access to the device could use this to execute arbitrary code.” Siemens’ remediation field says “Currently no fix is planned.” The affected set spans 38 Siemens product entries under the VersiCharge AC Series advisory.
Official resources
-
CVE-2025-31929 CVE record
CVE.org
-
CVE-2025-31929 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA advisory ICSA-25-135-08 and Siemens advisory SSA-556937 on 2025-05-13. This debrief is limited to defensive, source-supported facts and does not include exploit instructions.