CISA Warns of Critical OpenSSL Buffer Overflow Affecting Dozens of Siemens Industrial Products
CISA and Siemens disclosed CVE-2025-15467, a critical stack-based buffer overflow in OpenSSL that impacts a vast range of Siemens industrial products, from SCALANCE routers to AI servers, with potential for remote code execution.
CISA and Siemens have jointly disclosed a critical vulnerability in OpenSSL, tracked as CVE-2025-15467, that exposes dozens of Siemens industrial products to remote attacks. The flaw is a stack-based buffer overflow that could allow an unauthenticated attacker to trigger a denial-of-service condition or, in worst-case scenarios, achieve remote code execution on affected devices. Siemens has released patches for some products and is preparing fixes for others, urging customers to apply countermeasures where updates are not yet available.
The vulnerability originates from OpenSSL's handling of certain cryptographic operations, where improper bounds checking leads to a stack-based buffer overflow. While OpenSSL itself published the advisory, Siemens' implementation across its product line makes the flaw particularly dangerous in operational technology environments. The affected product list is extensive, spanning AI Lightweight Inference Server, Databus, HiMed Cockpit, and dozens of SCALANCE and RUGGEDCOM networking devices, including routers, switches, and wireless access points. Many of these products are deployed in critical infrastructure sectors such as energy, manufacturing, and healthcare.
Siemens has released updated firmware versions for several product families, including the SCALANCE X-300 and XR-300 series switches, as well as the RUGGEDCOM RM1224 LTE routers. For products where patches are not yet available, the company recommends specific countermeasures such as restricting network access to affected devices, disabling unnecessary services, and implementing firewall rules to limit exposure. The advisory notes that all versions of many products are affected, meaning legacy devices still in service are particularly at risk.
The scale of the disclosure is notable: the advisory lists over 70 individual product model numbers, each with the same CVE identifier. This reflects the widespread reuse of OpenSSL across Siemens' portfolio, a common pattern in industrial control systems where a single library vulnerability can cascade across an entire vendor ecosystem. Security researchers have long warned that such supply-chain dependencies create broad attack surfaces, and CVE-2025-15467 is a textbook example.
CISA has not yet added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, but the agency's involvement in the coordinated disclosure signals elevated concern. Given the severity of stack-based buffer overflows in network-accessible devices, proof-of-concept exploitation code is likely to emerge quickly. Industrial security teams should prioritize patching internet-facing SCALANCE and RUGGEDCOM devices, as these are the most exposed to remote attackers.
This disclosure follows a pattern of increasing scrutiny on OpenSSL vulnerabilities in OT environments. Earlier this year, similar flaws in the library affected products from multiple ICS vendors, prompting coordinated advisories from CISA. The Siemens advisory is part of a broader trend where the convergence of IT and OT networks exposes industrial systems to vulnerabilities originally discovered in enterprise software.
Organizations using affected Siemens products should consult the CISA advisory for the full list of impacted models and available patches. Siemens has also published a security advisory with detailed mitigation steps. Until patches are applied, network segmentation and strict access controls remain the primary defenses against potential exploitation of CVE-2025-15467.