PatchSiren cyber security CVE debrief
CVE-2025-41222 Siemens CVE debrief
CVE-2025-41222 affects Siemens RUGGEDCOM products and involves improper handling of malformed TLS handshake messages. According to the advisory, an attacker with network access to the webserver could trigger a denial of service that crashes the web server and the device. The CVSS v3.1 score is 5.3 (Medium), with availability impact only.
- Vendor
- Siemens
- Product
- RUGGEDCOM i800
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-07-08
- Original CVE updated
- 2025-10-14
- Advisory published
- 2025-07-08
- Advisory updated
- 2025-10-14
Who should care
Operators and administrators responsible for Siemens RUGGEDCOM i800 and the related RUGGEDCOM ROS / switch families listed in the advisory, especially if the device webserver or SSH service is reachable from untrusted networks. OT teams should also care where these devices support remote management over ports 80/tcp, 443/tcp, or 22/tcp.
Technical summary
CISA’s CSAF advisory for ICSA-25-294-04 states that affected Siemens devices do not properly handle malformed TLS handshake messages. The issue is network-reachable and can lead to a denial of service, crashing the web server and the device. The advisory lists CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, which aligns with an availability-only crash condition rather than code execution or data exposure.
Defensive priority
Medium priority, but treat as higher priority if the device web interface is exposed beyond trusted management networks. Because the advisory includes products with no fix available and recommends access restrictions and service deactivation, exposure reduction is the most important immediate control.
Recommended defensive actions
- Restrict access to port 80/tcp, 443/tcp, and 22/tcp to trusted IP addresses only.
- Deactivate the webserver if it is not required and if the product supports deactivation.
- Deactivate the SSH server if it is not required and if the product supports deactivation.
- Apply Siemens’s vendor fix to V5.10.0 or later where that remediation is listed for the affected product.
- Confirm whether the specific device is one of the products for which CISA lists no fix currently available, and rely on compensating controls if so.
- Validate the device’s management exposure from both IT and OT networks and limit reachability to the minimum necessary management hosts.
Evidence notes
All factual statements in this debrief are drawn from the supplied CISA CSAF source item for ICSA-25-294-04 and the provided Siemens/CISA references. The advisory publication date is 2025-07-08 and the modified date is 2025-10-14, when acknowledgements were added. The source lists both mitigations and a vendor fix for selected products, while also noting that no fix is currently available for some affected products.
Official resources
-
CVE-2025-41222 CVE record
CVE.org
-
CVE-2025-41222 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-25-294-04 on 2025-07-08 and updated it on 2025-10-14 to add acknowledgements. The advisory corresponds to CVE-2025-41222.