PatchSiren cyber security CVE debrief

CVE-2025-4517 Siemens CVE debrief

CVE-2025-4517 is a critical arbitrary filesystem write issue described in the supplied CISA/Siemens advisory corpus. The vulnerability is triggered when untrusted tar archives are extracted with Python tarfile APIs using filter="data" or filter="tar". For Python 3.14 and later, the advisory notes that the default filter changed to "data", so code relying on that default can also be exposed. In the Siemens advisory materials republished by CISA, the affected scope maps to multiple Siemens industrial networking products, and the stated remediation is to update affected firmware to V3.3 or later.

Vendor: Siemens
Product: RUGGEDCOM RST2428P (6GK6242-6PA00)
CVSS: CRITICAL 9.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-01-28
Original CVE updated: 2026-02-25
Advisory published: 2026-01-28
Advisory updated: 2026-02-25

Who should care

Siemens RUGGEDCOM and SCALANCE operators, OT/ICS platform owners, and integrators who use the affected firmware or any archive-extraction workflow that relies on Python tarfile filtering. Security teams should also review update pipelines and any tooling that processes untrusted tar archives.

Technical summary

The advisory states that TarFile.extractall() and TarFile.extract() can permit arbitrary writes outside the extraction directory when used with filter="data" or filter="tar". That makes path handling during extraction the key security boundary. The supplied source also calls out Python 3.14’s default filter="data" behavior change, which expands exposure for code that assumed the newer default was safe. Siemens’ published remediation in the corpus is to update affected products to V3.3 or later, with one product entry pointing to additional information.

Defensive priority

Urgent. The supplied CVSS score is 9.4 (Critical), and the remediation is a vendor update rather than a workaround. Prioritize exposure validation and firmware upgrade planning for any affected Siemens deployment, then review archive-handling code paths that may extract untrusted tar content.

Recommended defensive actions

Inventory Siemens products named in the advisory and confirm whether any affected models or firmware are deployed.
Apply Siemens’ remediation and update to V3.3 or later for affected products, using the vendor advisory referenced in the corpus.
Review any Python code or embedded tooling that calls TarFile.extractall() or TarFile.extract() on untrusted archives, especially where filter="data" or filter="tar" is used.
If Python 3.14 or later is in use, do not assume the default filter="data" is safe for untrusted content; explicitly validate archive-extraction behavior.
Restrict untrusted archive handling in operational workflows until updates are confirmed, and treat suspicious archive links cautiously during source-distribution evaluation.
Track the Siemens and CISA advisory pages for product-specific clarification, including any entries that reference additional information rather than a direct firmware version note.

Evidence notes

All statements are drawn from the supplied CSAF source item, its revision history, the Siemens references, and the official CVE/NVD links. The corpus says the issue allows arbitrary filesystem writes outside the extraction directory during tar extraction with filter="data" and applies when filter="tar" is used as well. The source metadata shows initial publication on 2026-01-28 and latest modification on 2026-02-25, with CISA republication updates on 2026-02-12 and 2026-02-24. Remediation in the corpus is firmware update to V3.3 or later.

Official resources

First published in the supplied corpus on 2026-01-28 and last modified on 2026-02-25. The CISA revision history shows follow-up republication on 2026-02-12 and a further clarification on 2026-02-24 before the latest update.