PatchSiren cyber security CVE debrief
CVE-2025-58751 Siemens CVE debrief
According to the supplied advisory text, CVE-2025-58751 describes a Vite dev-server access-control bypass involving the public directory: when the dev server is explicitly exposed to the network, the project uses the public directory feature, and a symlink exists in that directory, files could be served in a way that bypasses server.fs settings. The source corpus says the issue is fixed in Vite 7.1.5, 7.0.7, 6.3.6, and 5.4.20. The same source item also labels the advisory as Siemens SIDIS Prime vers:intdot/<4.0.800 and lists a Siemens remediation to update to V4.0.800 or later, so the product metadata and the vulnerability description do not align cleanly and should be verified before remediation planning.
- Vendor
- Siemens
- Product
- SIDIS Prime
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-03-12
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-03-12
Who should care
Security and development teams that run a Vite dev server exposed on the network, especially where the project uses the default public directory feature and includes symlinks in that directory. Because the supplied source metadata also names Siemens SIDIS Prime, asset owners should confirm which advisory and product line applies in their environment.
Technical summary
The advisory text ties the weakness to a network-reachable Vite dev server exposed with --host or server.host, the public directory feature, and a symlink in that directory. Under those conditions, files could be served while bypassing server.fs restrictions. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, which is consistent with a remotely reachable issue that requires user interaction and has limited confidentiality impact. The source also references CWE-22.
Defensive priority
Medium. Patch promptly for any exposed development environment, but the narrow prerequisites mean this is not described as a broad enterprise-wide emergency in the supplied data.
Recommended defensive actions
- Update to the fixed Vite versions listed in the advisory text: 7.1.5, 7.0.7, 6.3.6, or 5.4.20, as applicable to your branch.
- If you rely on the Siemens advisory metadata instead, confirm the correct vendor/product remediation path before making changes, because the source corpus contains a product-description mismatch.
- Avoid exposing development servers to untrusted networks unless required, and restrict access to the smallest necessary audience.
- Review projects that use the public directory feature for symlinks and remove or isolate them where possible.
- Validate that server.fs restrictions are still enforced after upgrading and that no unintended public-directory content is reachable.
- Use the referenced Siemens and CISA advisories as the authoritative source for environment-specific remediation guidance.
Evidence notes
The source corpus includes an apparent inconsistency: the description text is about Vite and names Vite fixed versions, while the CSAF product metadata identifies Siemens SIDIS Prime vers:intdot/<4.0.800 and a Siemens remediation of V4.0.800 or later. This debrief follows the supplied description and timing fields and flags the mismatch rather than inferring additional impacted products.
Official resources
-
CVE-2025-58751 CVE record
CVE.org
-
CVE-2025-58751 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory item on 2026-03-10 and republished it on 2026-03-12. The supplied data does not indicate KEV listing or known ransomware-campaign use.