🏛️ Architecture

CISA Advisory: TPM 2.0 Out-of-Bounds Read in Siemens SIMATIC Industrial PCs (CVE-2025-2884)

CISA advisory ICSA-26-111-01 covers a TPM 2.0 out-of-bounds read vulnerability in Siemens SIMATIC CN 4100, Field PG M5/M6, and IPC BX series industrial computers. The flaw enables information disclosure or denial of service against the hardware root of trust, with direct implications for Secure Boot integrity and the trusted execution environment of industrial control systems.

4 min read
#ics#siemens#simatic#tpm#hardware-security#ot-security#cisa-advisory#secure-boot

CISA has published industrial control system advisory ICSA-26-111-01 covering CVE-2025-2884, a vulnerability in the TPM 2.0 reference implementation affecting multiple Siemens SIMATIC industrial PC product lines. The flaw is an out-of-bounds read in the TPM’s CryptHmacSign function that can be leveraged by an attacker with local access to disclose sensitive cryptographic material or induce denial of service on the TPM module.

Affected Products

The advisory covers:

  • SIMATIC CN 4100 — communication node for industrial edge computing applications
  • SIMATIC Field PG M5 and M6 — ruggedised programming and maintenance workstations used for PLC configuration and OT field engineering
  • SIMATIC IPC BX series — industrial PCs deployed in control cabinets and process environments

All affected products use the same TPM 2.0 reference implementation containing the vulnerable CryptHmacSign function. Siemens has published firmware updates for affected product lines; the PSIRT advisory contains specific version guidance per product.

Why TPM Vulnerabilities Matter in OT Environments

The Trusted Platform Module is the hardware component that provides the root of trust for a computing platform. In SIMATIC industrial PCs, the TPM performs several security-critical functions:

  • Secure Boot validation: The TPM holds Platform Configuration Register (PCR) measurements that validate the boot chain from firmware through OS loader. If the TPM can be manipulated or disabled, Secure Boot attestation fails — potentially allowing unsigned or modified firmware to execute undetected.
  • Key storage: Cryptographic keys used for VPN authentication, TLS certificates, and disk encryption are sealed to the TPM. An out-of-bounds read that leaks TPM memory could expose these key materials.
  • Platform attestation: In environments using remote attestation to verify the integrity of OT hosts before granting network access, TPM compromise undermines the attestation chain.

CVE-2025-2884 is an out-of-bounds read, not a write — this limits the immediate impact to information disclosure and DoS rather than code execution or key injection. However, disclosing sealed key material or disrupting TPM availability in a running industrial system carries meaningful operational risk: an industrial PC that loses TPM availability may refuse to decrypt volumes, fail Secure Boot validation on next restart, or be unable to authenticate VPN connections used for remote OT management.

Attack Requirements and Threat Context

Exploitation requires local access to the affected SIMATIC system. This is a meaningful constraint in traditional OT environments where physical access controls are strong. The threat model shifts in environments that:

  • Allow remote administration via RDP or vendor support tools with OT network segment access
  • Have OT systems connected to IT networks via insufficiently segmented interfaces
  • Use shared maintenance workstations where multiple technicians or vendors have local access

The field engineering context is particularly relevant for SIMATIC Field PG systems: these are portable workstations that engineers connect to PLC networks in various industrial facilities, where custody and physical security controls may be less rigorous than fixed control room infrastructure.

  • Apply Siemens firmware updates: Obtain the fixed firmware version for each affected SIMATIC product from Siemens PSIRT advisory SSA-CVE-2025-2884. Field PG M5/M6 updates require the device to be in a state where firmware update is operationally feasible — coordinate with OT operations for maintenance windows.
  • Implement physical access controls: Restrict access to SIMATIC industrial PCs to authorised personnel only. Log and control physical access to control cabinets housing IPC BX systems.
  • Audit remote access paths: Review which remote access mechanisms (RDP, vendor support, remote OT management) provide access to affected SIMATIC systems. Ensure these paths require MFA and are logged.
  • Inventory affected products: Use your OT asset inventory to identify all SIMATIC CN 4100, Field PG M5/M6, and IPC BX deployments and their current firmware versions. Prioritise systems with broader network connectivity.
  • Monitor Siemens PSIRT: Additional SIMATIC product lines affected by CVE-2025-2884 may be disclosed as Siemens continues its impact analysis. Subscribe to Siemens PSIRT alerts for ongoing coverage.

Share this article