PatchSiren cyber security CVE debrief
CVE-2025-9086 Siemens CVE debrief
CVE-2025-9086 is a high-severity curl cookie handling flaw described in Siemens and CISA advisories. Under a specific secure-cookie-to-cleartext transition, curl can read past a heap buffer boundary while comparing cookie paths. The supplied advisory text says the result can be a crash or an incorrect comparison outcome, and the issue is rated with a CVSS 3.1 score of 7.5 because it can disrupt availability.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-02-25
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-02-25
Who should care
Siemens OT asset owners, plant operators, and security teams responsible for the affected Siemens product families listed in the advisory, especially environments running firmware versions older than V3.3 and any deployment that may exercise curl-based HTTP(S) cookie handling.
Technical summary
The flaw is an out-of-bounds heap read in curl's cookie path comparison logic. The supplied description says it can occur when a cookie is first set securely over HTTPS for a host, then the same host is later reached over cleartext HTTP and the same cookie name is set again with path '/'. Instead of ignoring the insecure update, the comparison can read beyond the allocated path buffer, which may crash the process or lead to incorrect cookie handling. The advisory rates the impact as availability-focused rather than confidentiality or integrity.
Defensive priority
High. This is a remotely reachable, unauthenticated issue with potential for denial of service in affected Siemens environments, and the vendor guidance is to move to the fixed release line as soon as feasible.
Recommended defensive actions
- Update affected Siemens products to V3.3 or later, per the vendor remediation guidance.
- Use the Siemens and CISA advisory product lists to confirm which devices and firmware versions are actually in scope before scheduling remediation.
- Prioritize exposed or internet-reachable management interfaces and any systems that rely on web-based cookie handling.
- Monitor affected devices for unexpected crashes, service restarts, or instability during HTTP/HTTPS interactions.
- Track the Siemens ProductCERT and CISA advisory pages for any scope clarifications or follow-on updates.
Evidence notes
CISA's CSAF republication for ICSA-26-043-06 was published on 2026-01-28 and updated on 2026-02-25. The supplied source metadata says the issue is a cookie path comparison bug in curl that can read outside a heap buffer boundary, and the remediation is to update affected products to V3.3 or later. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Official resources
-
CVE-2025-9086 CVE record
CVE.org
-
CVE-2025-9086 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed through Siemens advisory SSA-089022 and CISA republication ICSA-26-043-06, first published on 2026-01-28 and updated on 2026-02-25. No KEV listing is indicated in the supplied data.