Siemens SINEC OS
View CSAF Summary SINEC OS before V4.0 contains multiple vulnerabilities. Siemens has released a new version for RUGGEDCOM RST2428P and recommends to update to the latest version. The following versions of Siemens SINEC OS are affected: RUGGEDCOM RST2428P (6GK6242-6PA00) vers:intdot/<4.0 CVSS Vendor Equipment Vulnerabilities v3 9.8 Siemens Siemens SINEC OS Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Resource Shutdown or Release, Integer Overflow or Wraparound, Stack-based Buffer Overflow, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Uncontrolled Recursion, Out-of-bounds Read, Covert Timing Channel, Improper Input Validation, Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'), Improper Update of Reference Count, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'), Multiple Releases of Same Resource or Handle, Permissive Regular Expression, Expired Pointer Dereference, Incorrect Bitwise Shift of Integer, Out-of-bounds Write, User Interface (UI) Misrepresentation of Critical Information, Improper Access Control, Insertion of Sensitive Information Into Sent Data, Inefficient Algorithmic Complexity, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Authentication Bypass by Primary Weakness, NULL Pointer Dereference, Active Debug Code, Loop with Unreachable Exit Condition ('Infinite Loop'), Missing Synchronization, External Control of File Name or Path, Privilege Dropping / Lowering Errors, Use of Web Browser Cache Containing Sensitive Information Background Critical Infrastructure Sectors: Critical Manufacturing, Transportation Systems, Energy, Healthcare and Public Health, Financial Services, Government Services and Facilities Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2025-1352 A vulnerability has been found in GNU elfut
CSIRTS triage
- What
- Multiple vulnerabilities could allow various attacks including privilege escalation and denial of service.
- Who is affected
- Deployments of SINEC OS versions before 4.0.
- Urgency
- Remediation is urgent due to the critical CVSS score and multiple attack vectors.
- Action
- Update to the latest version of SINEC OS.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch SINEC OS
Get an email when a new SINEC OS advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-05
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2025-13520.61% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 45% of all scored CVEs.
- Low exploitation riskCVE-2025-13760.29% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 21% of all scored CVEs.
- Low exploitation riskCVE-2025-60520.42% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 34% of all scored CVEs.
- Low exploitation riskCVE-2025-61410.17% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 6% of all scored CVEs.
- Low exploitation riskCVE-2025-61700.19% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 9% of all scored CVEs.
- Low exploitation riskCVE-2025-70390.37% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 29% of all scored CVEs.
- Low exploitation riskCVE-2025-87320.15% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 5% of all scored CVEs.
- Moderate exploitation riskCVE-2025-90861.3% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 67% of all scored CVEs.
- Moderate exploitation riskCVE-2025-92301.7% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 75% of all scored CVEs.
- Moderate exploitation riskCVE-2025-92312.2% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 81% of all scored CVEs.
Referenced CVEs
+29 more CVEs referenced in this advisory.
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- high[UPDATE] [high] Linux Kernel: Multiple vulnerabilitiescert-bund
- high[UPDATE] [high] Linux Kernel: Multiple vulnerabilitiescert-bund
- high[UPDATE] [high] Linux Kernel: Multiple vulnerabilitiescert-bund
- unknownUSN-8492-5: Linux kernel (FIPS) vulnerabilitiesubuntu
- high[UPDATE] [high] Red Hat Enterprise Linux (Lodash): Vulnerability allows denial of servicecert-bund
- unknownMultiple vulnerabilities in Red Hat Linux kernel (July 10, 2026)cert-fr-avis
- high[NEW] [high] IBM Operational Decision Manager: Multiple vulnerabilitiescert-bund
- high[UPDATE] [high] Linux Kernel: Multiple vulnerabilities allow denial of servicecert-bund
- medium[UPDATE] [medium] OpenSSL and LibreSSL: Multiple vulnerabilitiescert-bund
- low[UPDATE] [low] libxml2: Vulnerability allows Denial of Servicecert-bund
- medium[UPDATE] [medium] sudo: Vulnerability allows privilege escalationcert-bund
- high[NEW] [high] Dell PowerProtect Data Domain: Multiple vulnerabilitiescert-bund
More from CISA Cybersecurity Advisories
- highCISA Adds Two Known Exploited Vulnerabilities to Catalog2026-07-10
- criticalSchneider Electric PowerChute Serial Shutdown2026-07-09
- criticalOpenPLC v32026-07-09
- criticalSchneider Electric Easergy MiCOM Px40 Series2026-07-09
- highCISA Adds One Known Exploited Vulnerability to Catalog2026-07-07