CVE-2025-3360 Siemens CVE debrief

Who should care

Operators and maintainers of Siemens industrial networking devices running affected SINEC OS firmware should review their exposure, especially the RUGGEDCOM RST2428P and the listed SCALANCE families in the advisory metadata.

Technical summary

The defect is described as an integer overflow and buffer under-read in GLib during parsing of a long invalid ISO 8601 timestamp. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) indicates a network-reachable condition that is difficult to trigger and affects availability rather than confidentiality or integrity. Siemens' remediation is to update affected products to V3.3 or later.

Defensive priority

Medium-low. The score is low, but the flaw affects industrial equipment and can still cause service disruption, so it should be addressed during normal maintenance cycles or sooner on exposed or operationally sensitive devices.

Recommended defensive actions

• Identify Siemens devices in scope and verify whether they run affected SINEC OS firmware.
• Plan and apply the Siemens-recommended update to V3.3 or later using the product-specific guidance in advisory 109997626.
• Use a maintenance window and test the firmware update path before deployment in OT environments.
• Follow CISA ICS recommended practices to reduce exposure and limit operational impact while patching is scheduled.

Evidence notes

The source item and CVE record are dated 2026-01-28, with a latest modification on 2026-02-25. CISA's revision history shows republication updates on 2026-02-12 and 2026-02-24/25, including a clarification that only SINEC OS firmware is impacted. The remediation guidance in the Siemens advisory points to V3.3 or later for affected products.

Official resources