PatchSiren cyber security CVE debrief
CVE-2025-32989 Siemens CVE debrief
CVE-2025-32989 is a network-reachable information-disclosure issue in GnuTLS certificate parsing that Siemens mapped to specific SIMATIC S7-1500 CPU models in its ProductCERT advisory. A malformed Certificate Transparency Signed Certificate Timestamp (SCT) extension can trigger a heap-buffer-overread during X.509 parsing, potentially exposing confidential data. Siemens lists no fix at this time, so affected environments should use compensating controls and track advisory updates.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-05-14
Who should care
Operators and maintainers of the listed Siemens SIMATIC S7-1500 CPU 1518/1518F MFP models, especially where the embedded GNU/Linux subsystem or certificate-verifying applications are in use. Industrial control system defenders should also care because Siemens currently lists no fix and recommends only mitigation steps.
Technical summary
The underlying flaw is a heap-buffer-overread in GnuTLS while handling the Certificate Transparency Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. The advisory states that a malformed SCT extension with OID 1.3.6.1.4.1.11129.2.4.2 can cause sensitive data exposure when certificates are verified incorrectly. In the Siemens advisory, the issue is associated with five SIMATIC S7-1500 CPU product variants. The published CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3, Medium).
Defensive priority
Medium. Prioritize for affected Siemens CPU deployments because the issue is externally reachable in the advisory’s scoring, confidentiality is impacted, and Siemens lists no fix. Apply compensating controls and monitor for a vendor update.
Recommended defensive actions
- Confirm whether any of the five listed Siemens CPU models are deployed in your environment.
- Treat the issue as mitigation-only for now; Siemens states that no fix is available at present.
- Restrict access to the interactive shell of the additional GNU/Linux subsystem to trusted personnel only.
- Only build and run applications from trusted sources on affected systems.
- Track Siemens ProductCERT and CISA advisory updates for a future remediation or revision.
- Use ICS defense-in-depth and other recommended practices to reduce exposure while the issue remains unresolved.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-25-162-05 and Siemens ProductCERT advisory SSA-082556. The source item was first published on 2025-06-10, with later CISA republication updates through 2026-05-14. The advisory’s affected-product list includes five Siemens SIMATIC/SIPLUS CPU variants, and the remediation section explicitly states that no fix is currently available.
Official resources
-
CVE-2025-32989 CVE record
CVE.org
-
CVE-2025-32989 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-06-10 in the CISA/Siemens advisory set; the advisory was updated by CISA through 2026-05-14.