PatchSiren cyber security CVE debrief
CVE-2025-4330 Siemens CVE debrief
CVE-2025-4330 is an integrity-focused archive-extraction flaw described in Siemens' advisory for SINEC OS-based products, including the RUGGEDCOM RST2428P and multiple SCALANCE families. When untrusted tar archives are extracted with TarFile.extractall() or TarFile.extract() using filter="data" or filter="tar"—and, for Python 3.14+, when relying on the new default filter="data"—the extraction filter can be bypassed. That can allow symlink targets to point outside the intended destination directory and can alter some file metadata. Siemens' remediation is to update to V3.3 or later.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-02-25
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-02-25
Who should care
Operators, maintenance teams, and security administrators responsible for Siemens RUGGEDCOM RST2428P and the listed SCALANCE devices running the affected SINEC OS firmware, especially where tar archives are handled during updates, imports, or service workflows.
Technical summary
The advisory describes a tarfile extraction-filter bypass. In affected uses of Python's tarfile module, extraction with filter="data" or filter="tar" may not enforce the expected containment rules. The result can be symlink targets resolving outside the destination directory and modification of selected file metadata. The issue is relevant to untrusted archive extraction; the advisory notes that source-distribution installation already carries build-time code-execution risk, but suspicious links should still be avoided.
Defensive priority
High. The CVSS vector is network-reachable with no privileges or user interaction and a high integrity impact (CVSS 7.5 / High). For industrial devices and update pipelines, treat this as a prompt patching item, especially if archive extraction is part of operational workflows.
Recommended defensive actions
- Update affected Siemens products to V3.3 or later, following Siemens ProductCERT guidance.
- Avoid extracting untrusted tar archives on affected systems until patched.
- Review any automation that uses tarfile extraction with filter="data" or "tar"; validate that containment checks are enforced.
- For Python 3.14+ environments, do not assume the default filter="data" alone provides sufficient protection on impacted versions.
- Prefer signed, trusted update artifacts and inspect archives for suspicious symlinks before installation.
Evidence notes
The supplied CISA CSAF source item ICSA-26-043-06 republishes Siemens SSA-089022. Its revision history shows initial publication on 2026-01-28 and updates on 2026-02-12, 2026-02-24, and 2026-02-25. The advisory explicitly lists RUGGEDCOM RST2428P and other Siemens products, and clarifies that only SINEC OS firmware is impacted. The remediation field in the advisory says to update to V3.3 or later.
Official resources
-
CVE-2025-4330 CVE record
CVE.org
-
CVE-2025-4330 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2026-01-28 via CISA CSAF advisory ICSA-26-043-06, with the latest CISA republication update on 2026-02-25 based on Siemens SSA-089022.