CVE-2025-64756 Siemens CVE debrief

Who should care

Siemens SIDIS Prime operators, integrators, and CI/CD administrators who process untrusted or externally supplied filenames with the affected command path.

Technical summary

The source advisory describes a command-injection flaw in glob-style command execution: filenames matched by patterns are forwarded to a shell with shell: true, so malicious filenames can alter command behavior and execute arbitrary commands. In the supplied CSAF record, the CVE is associated with Siemens SIDIS Prime and the remediation is V4.0.800 or later; follow the vendor advisory path for upgrade guidance and validate any affected automation that invokes the command flow.

Defensive priority

High — arbitrary command execution is possible when untrusted filenames reach the affected command path, including in CI or automation contexts.

Recommended defensive actions

• Update Siemens SIDIS Prime to V4.0.800 or later as directed by the advisory.
• Do not process attacker-controlled or untrusted filenames through the affected -c/--cmd workflow until patched.
• Review CI jobs, service accounts, and automation that invoke the affected command path and reduce privileges where possible.
• Add detection for unexpected child processes or shell activity around filename-processing jobs and investigate anomalies promptly.

Evidence notes

This debrief is based on the supplied CISA CSAF advisory ICSA-26-071-03, published 2026-03-10 and republished 2026-03-12, which references Siemens ProductCERT SSA-485750. The source description states that matched filenames are passed to a shell with shell: true and that malicious names can trigger command injection. The supplied record also maps remediation to Siemens SIDIS Prime V4.0.800 or later. Because the advisory text and product-tree context are not perfectly aligned, the vendor advisory and CISA CSAF were treated as the primary evidence sources.

Official resources