CVE-2025-59392 Siemens CVE debrief

Who should care

Operational technology security teams, industrial control system administrators, critical infrastructure operators using Elspec G5 devices for power quality monitoring, and organizations with physical security responsibilities for substation or plant-floor equipment.

Technical summary

The Elspec G5 firmware through 1.2.2.19 implements a password recovery mechanism that can be triggered by inserting a USB drive containing a specific reset string. This string is publicly documented, enabling any individual with physical device access to reset administrative credentials without authentication. The vulnerability is classified as MEDIUM severity (CVSS 6.8) due to the physical access prerequisite, though impact is rated HIGH for confidentiality, integrity, and availability if exploited. The attack requires no privileges or user interaction beyond physical presence.

Defensive priority

medium

Recommended defensive actions

• Update affected Elspec G5 devices to G5DFR V1.2.3.13 or later
• Restrict physical access to Elspec G5 devices to authorized personnel only
• Monitor for unauthorized USB device connections in operational technology environments
• Review and implement CISA ICS recommended practices for defense-in-depth strategies
• Verify firmware version on all deployed Elspec G5 units and document asset inventory

Evidence notes

CISA published advisory ICSA-25-345-08 on 2025-12-09, confirming the vulnerability and vendor fix availability. Siemens has issued security advisory SSA-734261 with remediation guidance.

Official resources