PatchSiren cyber security CVE debrief
CVE-2025-59375 Siemens CVE debrief
CVE-2025-59375 is a denial-of-service issue in libexpat, affecting Hitachi Energy RTU500 series CMU Firmware only when IEC61850 functionality is configured. A small XML document submitted for parsing can cause large dynamic memory allocations, creating an availability risk. The advisory points to firmware updates as the primary fix.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-28
- Original CVE updated
- 2026-02-25
- Advisory published
- 2026-01-28
- Advisory updated
- 2026-02-25
Who should care
OT/ICS teams running Hitachi Energy RTU500 series CMU Firmware with IEC61850 configured, along with asset owners, plant operators, SOC analysts, and patch coordinators responsible for those systems.
Technical summary
The advisory states that Expat versions before 2.7.2 can be driven to perform large dynamic memory allocations from a small document submitted for parsing. Hitachi Energy’s advisory scope narrows the impact to systems where IEC61850 functionality is configured. The CVSS vector reflects a network-reachable availability-only condition, with no confidentiality or integrity impact stated.
Defensive priority
High for any deployed RTU500 CMU systems using IEC61850. Prioritize systems that are operationally critical, widely reachable within plant networks, or difficult to restart safely.
Recommended defensive actions
- Update RTU500 series CMU Firmware to version 12.7.8 if you are on the 12.7.x branch.
- Update RTU500 series CMU Firmware to version 13.7.8 or the latest available release for the 13.5.x, 13.6.x, and 13.7.x branches.
- Update RTU500 series CMU Firmware to version 13.8.2 for the 13.8.1 release line.
- Inventory which assets have IEC61850 functionality configured so patching and risk decisions target only affected systems.
- Apply general ICS hardening and segmentation practices from CISA to reduce exposure while remediation is underway.
- Validate updates in a maintenance window and confirm service restoration, since this issue can affect availability.
Evidence notes
Primary evidence comes from CISA CSAF advisory ICSA-26-062-03 (published 2026-02-24, republished 2026-03-03) and its linked Hitachi Energy PSIRT advisory. The advisory text explicitly says libexpat in Expat before 2.7.2 can trigger large dynamic memory allocations via a small document submitted for parsing, and that the product is only affected if IEC61850 functionality is configured. Source metadata in the corpus includes a low-confidence vendor mapping, so the product naming should be treated as advisory-driven rather than inferred from enrichment fields.
Official resources
-
CVE-2025-59375 CVE record
CVE.org
-
CVE-2025-59375 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in CSAF advisory ICSA-26-062-03 on 2026-02-24, with a CISA republication of the Hitachi Energy PSIRT advisory on 2026-03-03.