PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-40889 Siemens CVE debrief

A path traversal vulnerability in the Time Machine functionality of Siemens RUGGEDCOM APE1808 allows authenticated users with limited privileges to manipulate files in the /data folder through crafted requests. The vulnerability stems from missing validation of two input parameters. Published on 2025-08-12 and last modified on 2026-01-14, this issue carries a HIGH severity CVSS 3.1 score of 8.1. The vulnerability was disclosed through coordinated disclosure between Siemens ProductCERT and CISA, with the advisory undergoing multiple revisions to add related CVEs and remediation guidance.

Vendor
Siemens
Product
RUGGEDCOM APE1808
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2025-08-12
Original CVE updated
2026-01-14
Advisory published
2025-08-12
Advisory updated
2026-01-14

Who should care

Operators of Siemens RUGGEDCOM APE1808 industrial networking equipment, OT security teams, critical infrastructure defenders, and organizations with deployed Nozomi Guardian/CMC monitoring solutions

Technical summary

The vulnerability exists in the Time Machine functionality where two input parameters lack proper validation, enabling authenticated attackers to traverse paths and modify or affect availability of files in the /data directory. Attack requires network access and valid low-privilege credentials.

Defensive priority

HIGH

Recommended defensive actions

  • Apply vendor fix by upgrading Nozomi Guardian / CMC to V25.4.0 using CLI rather than Web GUI due to potential errors; contact customer support for patch and update information
  • Implement network segmentation and use internal firewall features to restrict access to the web management interface
  • Review and audit all accounts with web management interface access, removing unnecessary accounts
  • Monitor /data folder integrity and access patterns for unauthorized modifications
  • Apply defense-in-depth strategies for industrial control systems per CISA recommended practices

Evidence notes

CVE published 2025-08-12; advisory modified 2026-01-14 with republication of Siemens ProductCERT SSA-978177. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H.

Official resources

Coordinated disclosure via Siemens ProductCERT and CISA ICS advisory