PatchSiren cyber security CVE debrief
CVE-2025-9495 Viessmann CVE debrief
CVE-2025-9495 affects Viessmann Vitogate 300. CISA describes a weakness where the server relies on client-side protection mechanisms; an attacker can modify client behavior to bypass those protections and trigger unintended client-server interactions. Viessmann’s remediation guidance says the issue is resolved in software version 3.1.0.1 or newer.
- Vendor
- Viessmann
- Product
- Vitogate 300
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-23
- Original CVE updated
- 2025-09-23
- Advisory published
- 2025-09-23
- Advisory updated
- 2025-09-23
Who should care
Operators and administrators responsible for Viessmann Vitogate 300 deployments, especially OT/ICS asset owners, integrators, and maintenance teams that manage gateway software and patching.
Technical summary
The supplied advisory does not describe a memory-safety flaw or authentication bypass. Instead, it highlights an architectural weakness: the server is trusting client-side protections. The published CVSS 3.1 vector is AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating an adjacent-network attack with no privileges or user interaction and potentially high impact if the client-side controls are bypassed. The vendor states the fix is in Vitogate 300 software 3.1.0.1 and later.
Defensive priority
High. This is a publicly disclosed ICS advisory with a CVSS 8.8 rating and no privileges or user interaction required in the published vector. Prioritize patching Vitogate 300 systems, then verify compensating controls if immediate upgrading is not possible.
Recommended defensive actions
- Upgrade Viessmann Vitogate 300 to software version 3.1.0.1 or newer using the vendor’s published update path.
- Inventory all Vitogate 300 instances and confirm which versions are deployed before scheduling remediation.
- If immediate upgrading is not possible, restrict adjacent-network access to the device and minimize exposure with network segmentation and access controls.
- Review any workflow or security assumptions that depend on client-side protections and do not treat client behavior as authoritative.
- Monitor CISA and vendor advisories for any follow-up guidance affecting this product.
Evidence notes
The source corpus includes CISA CSAF advisory ICSA-25-266-04, the CVE record, and the vendor remediation notice. Those sources consistently identify Viessmann Vitogate 300, publish date 2025-09-23, and remediation in software version 3.1.0.1 or newer. The supplied enrichment shows no KEV listing and no ransomware campaign association. The advisory text is general and does not provide exploit details.
Official resources
-
CVE-2025-9495 CVE record
CVE.org
-
CVE-2025-9495 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-09-23 via CISA advisory ICSA-25-266-04 and the CVE record. No KEV listing was supplied.