PatchSiren cyber security CVE debrief
CVE-2026-25789 Siemens CVE debrief
CVE-2026-25789 is a Siemens SIMATIC PLC web-server issue in the Firmware Update page. Because filenames are not properly validated and sanitized, a remote attacker may socially engineer an authenticated user into selecting a modified firmware file name, leading to malicious JavaScript execution in that user’s session without the file actually being uploaded. The stated impact includes session hijacking or credential theft, and the source CVSS vector reflects network attack conditions with required user interaction and authenticated access.
- Vendor
- Siemens
- Product
- SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0)
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
OT and ICS operators, plant engineers, and administrators responsible for Siemens SIMATIC S7 / ET 200SP / Drive Controller devices and any web-based firmware update workflow. This is especially relevant for teams that allow remote or broadly delegated access to device management interfaces.
Technical summary
The advisory describes improper filename validation/sanitization on the Firmware Update page. An attacker can craft a modified firmware filename and rely on user interaction to get an authenticated user to select it, which can execute JavaScript in the context of that session. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating network reachability, high complexity, low privileges, and required user interaction.
Defensive priority
High. The attack requires user interaction and is high complexity, but the impact is severe and the affected device set is broad across Siemens OT products.
Recommended defensive actions
- Apply Siemens vendor fixes where available, including the version-specific updates listed in the advisory such as V3.1.6 or later and V2.9.9 or later for the affected product families.
- Restrict access to the firmware update function to instructed personnel only, as explicitly recommended by the advisory.
- Limit access to device web management interfaces to trusted administrative networks and use OT segmentation/least-privilege controls from CISA ICS recommended practices.
- Treat firmware update sessions as sensitive administrative actions and verify firmware package provenance before initiating any update workflow.
- Track the Siemens and CISA advisories for product-specific remediation guidance, especially for variants where no fix is currently available or no fix is planned.
Evidence notes
This debrief is based on the supplied CISA CSAF source item ICSA-26-134-15, which republishes Siemens ProductCERT advisory SSA-688146 for CVE-2026-25789. The source dates are 2026-05-12 for publication and 2026-05-14 for republication/modification. The advisory references official Siemens and CISA pages, and the supplied remediation entries include both vendor fixes and a mitigation to restrict firmware update access to instructed personnel.
Official resources
-
CVE-2026-25789 CVE record
CVE.org
-
CVE-2026-25789 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied CISA CSAF on 2026-05-12 and republished from Siemens ProductCERT on 2026-05-14. The supplied enrichment does not list this CVE in KEV.