CVE-2025-38086 Siemens CVE debrief

Who should care

Siemens SINEC OS operators, OT/ICS administrators, and asset owners responsible for the listed SCALANCE and RUGGEDCOM product families should review applicability and patch plans.

Technical summary

The issue occurs when ch9200_mdio_read() calls control_read() and ignores its return value. If control_read() does not fully initialize the local buffer, later code can access buff[0] and buff[1] anyway, resulting in uninitialized data access during mii_nway_restart(). The supplied CVSS vector indicates local access, low privileges, and high attack complexity (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

Defensive priority

High for affected Siemens OT environments. Verify exposure quickly and apply the vendor fix because the advisory lists a corrected version and the flaw can affect core device firmware behavior.

Recommended defensive actions

• Check whether any Siemens devices in your inventory match the affected products listed in SSA-089022 / ICSA-26-043-06.
• Apply the vendor remediation: update to V3.3 or later for affected products, per Siemens guidance.
• If immediate patching is not possible, restrict local administrative access, follow OT segmentation and defense-in-depth practices, and monitor the affected assets closely.
• Confirm the exact firmware branch and model mapping before maintenance, because the source revision history notes a scope clarification for SINEC OS firmware impact.

Evidence notes

Source corpus places publication at 2026-01-28 and last update at 2026-02-25. The CISA CSAF advisory ICSA-26-043-06 republishes Siemens ProductCERT SSA-089022 and includes a remediation of V3.3 or later. The description explicitly states that ch9200_mdio_read() ignores the return value of control_read(), enabling access to an uninitialized buffer. The source revision history also notes a clarification that only SINEC OS firmware is impacted. No KEV entry is present in the supplied enrichment.

Official resources