CVE-2025-66030 Siemens CVE debrief

Who should care

Operators and administrators of Siemens SIDIS Prime, OT/ICS security teams, and asset owners who use OID-based certificate or trust validation in affected environments. Any deployment below version 4.0.800 should be prioritized for review.

Technical summary

The advisory says remote, unauthenticated attackers may supply crafted ASN.1 structures with oversized OID arcs. Due to 32-bit bitwise truncation, those arcs can be interpreted as smaller OIDs, potentially bypassing downstream logic that relies on OID values for trust or policy decisions. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.

Defensive priority

Medium. The issue is remotely reachable and requires no privileges or user interaction, but the documented impact is integrity-related rather than confidentiality or availability. Patch priority is still important where OIDs drive authentication, certificate, or policy decisions.

Recommended defensive actions

• Update Siemens SIDIS Prime to version 4.0.800 or later.
• Inventory all SIDIS Prime instances and confirm which versions are below 4.0.800.
• Review any workflows that make authorization or trust decisions from OID values.
• Validate certificate- and ASN.1-handling dependencies in the deployment path.
• Apply compensating controls and network segmentation until patching is complete.

Evidence notes

CISA's CSAF advisory ICSA-26-071-03 (republished from Siemens ProductCERT SSA-485750) lists CVE-2025-66030 for Siemens SIDIS Prime and ties remediation to version 4.0.800 or later. The source metadata shows publication on 2026-03-10 and modification on 2026-03-12. The advisory description states that oversized OID arcs can be truncated into smaller trusted OIDs, creating a bypass of downstream OID-based security decisions.

Official resources