PatchSiren cyber security CVE debrief
CVE-2025-4435 Siemens CVE debrief
CVE-2025-4435 is a high-severity Siemens advisory about archive extraction behavior that does not match the documented security expectation when TarFile.errorlevel = 0 is used with a filter. Instead of skipping filtered members, affected versions may still extract them. In practice, that can defeat file-selection controls and undermine security assumptions around handling untrusted archives. CISA republished Siemens’ advisory and later clarified the affected scope in the revision history; the provided remediation is to update to V3.3 or later where applicable.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-02-25
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-02-25
Who should care
Siemens OT/ICS operators, asset owners, and patch teams responsible for the affected industrial networking products and any workflows that process tar archives on impacted systems should care. This also matters to defenders validating archive-handling assumptions in build, update, and maintenance pipelines.
Technical summary
The supplied advisory describes a mismatch between documented and actual behavior in tar extraction when a filter is applied and errorlevel is set to 0. The expected outcome is that filtered members are skipped; the affected behavior is that the members may still be extracted. The advisory data provided by CISA ties the issue to Siemens ProductCERT advisory SSA-089022 / ICSA-26-043-06, lists a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, and provides a vendor remediation of updating to version V3.3 or later for affected products.
Defensive priority
High. Prioritize remediation on exposed or operationally critical Siemens environments because the issue is network-reachable in the CVSS vector and can lead to high integrity impact without privileges or user interaction.
Recommended defensive actions
- Update affected Siemens products to V3.3 or later, following the vendor advisory guidance.
- Review any automation, maintenance, or update workflows that extract tar archives and verify they do not rely on filtered members being skipped when errorlevel = 0.
- Validate that file-extraction controls and allowlists are enforced outside of tar filter behavior as a defense-in-depth measure.
- Track Siemens advisory SSA-089022 and CISA ICSA-26-043-06 for any scope clarifications or product-specific remediation notes.
- If you manage affected OT assets, schedule patching according to operational change control and confirm versions after remediation.
Evidence notes
This debrief is based only on the provided CISA CSAF source item and the referenced official links. The source states that CVE-2025-4435 was published on 2026-01-28 and modified on 2026-02-25, with a revision history showing additional republications on 2026-02-12 and 2026-02-24 before the latest 2026-02-25 update. The supplied remediation section says to update to V3.3 or later for affected products. The provided enrichment does not mark this CVE as KEV and does not indicate ransomware campaign use. The source material also includes a clarification in the revision history that only SINEC OS firmware is impacted.
Official resources
-
CVE-2025-4435 CVE record
CVE.org
-
CVE-2025-4435 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-01-28 and updated through 2026-02-25 via republications of Siemens advisory SSA-089022 / ICSA-26-043-06. No KEV listing is indicated in the supplied data.