CVE-2025-66382 Siemens CVE debrief

Who should care

Operators and maintainers of Siemens SIMATIC S7-1500 CPU 1518-4/1518F-4 PN/DP MFP and SIPLUS variants, especially where the additional GNU/Linux subsystem is enabled or third-party software is deployed.

Technical summary

The supplied advisory text attributes the issue to libexpat through 2.7.3. On affected Siemens products, a specially crafted file of approximately 2 MiB can cause parsing/processing to consume dozens of seconds of CPU time. The CVSS vector (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) matches a local, high-complexity, availability-only issue. Siemens/CISA list five affected product IDs and note that no fix is currently available.

Defensive priority

Medium for deployments that expose the additional GNU/Linux subsystem or accept untrusted files; low otherwise.

Recommended defensive actions

• Limit access to the additional GNU/Linux subsystem shell to trusted personnel only.
• Avoid processing untrusted or unexpected files on affected devices.
• Only build and run applications from trusted sources.
• Monitor affected systems for unusual CPU or task latency during file processing.
• Track Siemens ProductCERT and CISA updates for any future fix or mitigation guidance.

Evidence notes

Source publication date is 2025-06-10, with the latest supplied update on 2026-05-14. The advisory text explicitly states: “In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.” The CSAF data maps the issue to Siemens SIMATIC S7-1500 CPU 1518-4/1518F-4 PN/DP MFP and SIPLUS variants and includes a remediation entry stating that no fix is available. The CVSS vector indicates local access, high attack complexity, and availability-only impact.

Official resources