PatchSiren cyber security CVE debrief
CVE-2025-4138 Siemens CVE debrief
CVE-2025-4138 is a High-severity issue republished by CISA for Siemens products in ICSA-26-043-06. The vulnerability description in the source record says tarfile extraction filters can be ignored, allowing symlink targets to point outside the intended destination directory and permitting some file metadata changes. Siemens’ advisory materials direct affected users to update to V3.3 or later, and CISA’s later updates clarified the affected scope.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-02-25
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-02-25
Who should care
Siemens industrial asset owners, OT administrators, and firmware maintainers running the listed RUGGEDCOM/SCALANCE devices, especially where SINEC OS firmware is used or where archive extraction from untrusted sources is part of the workflow.
Technical summary
The underlying flaw described in the record affects Python’s tarfile extraction behavior. When TarFile.extractall() or TarFile.extract() is used with filter="data" or filter="tar"—and, for Python 3.14 or later, when the default "data" behavior is relied on—an attacker-controlled tar archive can bypass the extraction filter, cause symlink targets to resolve outside the destination directory, and alter some file metadata. In the Siemens/CISA advisory context, the source timeline shows the advisory was republished and later clarified, including a note that only SINEC OS firmware is impacted.
Defensive priority
High priority for any confirmed affected Siemens deployment. Validate exact model/firmware exposure, then apply the vendor fix promptly; the February 2026 republish history shows the scope was refined after initial publication, so use the latest advisory details before scheduling remediation.
Recommended defensive actions
- Confirm whether each Siemens device in your inventory matches the latest advisory scope, especially the SINEC OS firmware clarification added in late February 2026.
- Upgrade affected products to V3.3 or later using Siemens’ remediation guidance.
- Review any process that extracts tar archives from untrusted or externally supplied sources; do not assume filter defaults are sufficient without explicit validation.
- Check archives and extracted content for suspicious symlinks and unexpected metadata before deployment or installation.
- Follow CISA ICS hardening and defense-in-depth guidance for segmentation, access control, and monitoring.
Evidence notes
The supplied CISA CSAF source item (ICSA-26-043-06) republishes Siemens SSA-089022 and includes the vulnerability description, affected product names, and remediation to update to V3.3 or later. The revision history in the source shows publication on 2026-01-28, an initial republication on 2026-02-12, a scope clarification on 2026-02-24, and a latest update on 2026-02-25. Official references in the corpus include the Siemens CSAF and HTML advisory pages, the CISA ICS advisory page, the CVE record, and NVD.
Official resources
-
CVE-2025-4138 CVE record
CVE.org
-
CVE-2025-4138 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA republished Siemens SSA-089022 as ICSA-26-043-06 for CVE-2025-4138, first published on 2026-01-28 and updated on 2026-02-12, 2026-02-24, and 2026-02-25. Treat the latest advisory version as authoritative for affected products and remdi