Siemens SCALANCE, RUGGEDCOM, and SIPLUS Out-of-bounds Write (CVE-2025-15467)

critical Tenable OT Security Plugin ID 505542

Synopsis

The remote OT asset is affected by a vulnerability.

Description

Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.
Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

Refer to the vendor advisory.

See Also

https://cert-portal.siemens.com/productcert/html/ssa-434797.html

https://support.industry.siemens.com/cs/ww/en/view/109800912/

https://support.industry.siemens.com/cs/ww/en/view/109825750/

https://support.industry.siemens.com/cs/ww/en/view/109991080/

https://support.industry.siemens.com/cs/ww/en/view/109996963/

https://support.industry.siemens.com/cs/ww/en/view/109999722/

https://support.industry.siemens.com/cs/ww/en/view/110000400/

https://support.industry.siemens.com/cs/ww/en/view/110000657/

https://support.industry.siemens.com/cs/ww/en/view/110000730/

https://support.industry.siemens.com/cs/ww/en/view/110000985/

http://www.nessus.org/u?024e11ca

Plugin Details

Severity: Critical

ID: 505542

File Name: tenable_ot_siemens_CVE-2025-15467.nasl

Version: 1.1

Type: Remote

Family: Tenable.ot

Published: 7/10/2026

Updated: 7/10/2026

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: High

Score: 7.9

Percentile: 99.36

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/o:siemens:scalance_x306-1ld_fe_firmware, cpe:/o:siemens:scalance_x202-2p_irt_pro_firmware, cpe:/o:siemens:scalance_sc622-2c_firmware, cpe:/o:siemens:scalance_lpe9433_firmware, cpe:/o:siemens:scalance_wam763-1_firmware, cpe:/o:siemens:scalance_xr324-4m_eec_%282x_100-240vac%2f60-250vdc%2c_ports_on_rear%29_firmware, cpe:/o:siemens:scalance_lpe9403_firmware, cpe:/o:siemens:scalance_xr324-12m_%28230v%2c_ports_on_front%29_firmware, cpe:/o:siemens:scalance_wum766-1_%28me%29_firmware, cpe:/o:siemens:scalance_x308-2_firmware, cpe:/o:siemens:scalance_xf208_firmware, cpe:/o:siemens:scalance_xf206-1_firmware, cpe:/o:siemens:scalance_mum853-1_%28eu%29_firmware, cpe:/o:siemens:scalance_x320-1-2ld_fe_firmware, cpe:/o:siemens:scalance_wam766-1_eec_%28us%29_firmware, cpe:/o:siemens:scalance_wam766-1_%28me%29_firmware, cpe:/o:siemens:scalance_wam766-1_eec_firmware, cpe:/o:siemens:scalance_x304-2fe_firmware, cpe:/o:siemens:scalance_wub762-1_firmware, cpe:/o:siemens:ruggedcom_rm1224_lte%284g%29_nam_firmware, cpe:/o:siemens:scalance_x307-2_eec_%28230v%29_firmware, cpe:/o:siemens:scalance_x308-2m_firmware, cpe:/o:siemens:scalance_m876-3_%28rok%29_firmware, cpe:/o:siemens:scalance_x224_firmware, cpe:/o:siemens:scalance_wum766-1_%28usa%29_firmware, cpe:/o:siemens:scalance_lpe9413_firmware, cpe:/o:siemens:scalance_xr322-12_firmware, cpe:/o:siemens:scalance_xr324-4m_poe_%2824v%2c_ports_on_front%29_firmware, cpe:/o:siemens:scalance_xr324-12m_ts_%2824v%29_firmware, cpe:/o:siemens:scalance_x320-1_fe_firmware, cpe:/o:siemens:scalance_x310fe_firmware, cpe:/o:siemens:scalance_xr324-4m_poe_%2824v%2c_ports_on_rear%29_firmware, cpe:/o:siemens:siplus_net_scalance_x308-2_firmware, cpe:/o:siemens:scalance_m816-1_adsl-router_series_firmware, cpe:/o:siemens:scalance_x200-4p_irt_firmware, cpe:/o:siemens:scalance_xr326-8_firmware, cpe:/o:siemens:scalance_xf204irt_firmware, cpe:/o:siemens:scalance_wum766-1_firmware, cpe:/o:siemens:scalance_x307-3_firmware, cpe:/o:siemens:scalance_xf201-3p_irt_firmware, cpe:/o:siemens:scalance_xr524-8wg_firmware, cpe:/o:siemens:scalance_mum856-1_%28row%29_firmware, cpe:/o:siemens:scalance_x202-2p_irt_firmware, cpe:/o:siemens:scalance_xc416-8_firmware, cpe:/o:siemens:scalance_xr324-12m_%2824v%2c_ports_on_rear%29_firmware, cpe:/o:siemens:scalance_m826-2_shdsl-router_firmware, cpe:/o:siemens:scalance_x212-2ld_firmware, cpe:/o:siemens:scalance_xf204_firmware, cpe:/o:siemens:scalance_xc324-4_firmware, cpe:/o:siemens:scalance_x204irt_pro_firmware, cpe:/o:siemens:scalance_x206-1ld_firmware, cpe:/o:siemens:scalance_x302-7_eec_%282x_24v%29_firmware, cpe:/o:siemens:scalance_xr302-32_firmware, cpe:/o:siemens:scalance_x307-2_eec_%282x_230v%2c_coated%29_firmware, cpe:/o:siemens:scalance_x201-3p_irt_firmware, cpe:/o:siemens:scalance_mub852-1_%28a1%29_firmware, cpe:/o:siemens:scalance_wam766-1_%28us%29_firmware, cpe:/o:siemens:scalance_mum853-1_%28b1%29_firmware, cpe:/o:siemens:scalance_x204-2ld_firmware, cpe:/o:siemens:scalance_sc626-2c_firmware, cpe:/o:siemens:scalance_x212-2_firmware, cpe:/o:siemens:scalance_x204-2ld_ts_firmware, cpe:/o:siemens:scalance_xr324-4m_poe_%28230v%2c_ports_on_rear%29_firmware, cpe:/o:siemens:scalance_x204irt_firmware, cpe:/o:siemens:scalance_x307-2_eec_%282x_24v%2c_coated%29_firmware, cpe:/o:siemens:scalance_x302-7_eec_%28230v%29_firmware, cpe:/o:siemens:scalance_m812-1_adsl-router_series_firmware, cpe:/o:siemens:scalance_x307-3ld_firmware, cpe:/o:siemens:scalance_x302-7_eec_%282x_230v%2c_coated%29_firmware, cpe:/o:siemens:scalance_m876-4_%28nam%29_firmware, cpe:/o:siemens:scalance_mum856-1_%28cn%29_firmware, cpe:/o:siemens:scalance_x307-2_eec_%2824v%2c_coated%29_firmware, cpe:/o:siemens:scalance_x307-2_eec_%282x_230v%29_firmware, cpe:/o:siemens:scalance_xr324-4m_eec_%28100-240vac%2f60-250vdc%2c_ports_on_rear%29_firmware, cpe:/o:siemens:scalance_x308-2lh%2b_firmware, cpe:/o:siemens:scalance_wam763-1_%28me%29_firmware, cpe:/o:siemens:scalance_mub852-1_%28b1%29_firmware, cpe:/o:siemens:scalance_xr324-12m_%2824v%2c_ports_on_front%29_firmware, cpe:/o:siemens:scalance_x408-2_firmware, cpe:/o:siemens:scalance_x204rna_eec_%28prp%2fhsr%29_firmware, cpe:/o:siemens:scalance_xc316-8_firmware, cpe:/o:siemens:scalance_x204-2fm_firmware, cpe:/o:siemens:scalance_xc424-4_firmware, cpe:/o:siemens:scalance_m874-2_firmware, cpe:/o:siemens:scalance_x308-2m_ts_firmware, cpe:/o:siemens:scalance_x302-7_eec_%282x_230v%29_firmware, cpe:/o:siemens:scalance_wum763-1_firmware, cpe:/o:siemens:scalance_x310_firmware, cpe:/o:siemens:ruggedcom_rm1224_lte%284g%29_eu_firmware, cpe:/o:siemens:scalance_x208_firmware, cpe:/o:siemens:scalance_mum853-1_%28a1%29_firmware, cpe:/o:siemens:scalance_x307-2_eec_%282x_24v%29_firmware, cpe:/o:siemens:scalance_x204rna_%28prp%29_firmware, cpe:/o:siemens:scalance_x302-7_eec_%2824v%2c_coated%29_firmware, cpe:/o:siemens:scalance_mum856-1_%28eu%29_firmware, cpe:/o:siemens:scalance_xr324-4m_eec_%28100-240vac%2f60-250vdc%2c_ports_on_front%29_firmware, cpe:/o:siemens:scalance_x208pro_firmware, cpe:/o:siemens:scalance_x204rna_eec_%28hsr%29_firmware, cpe:/o:siemens:scalance_xr324-4m_eec_%282x_24v%2c_ports_on_rear%29_firmware, cpe:/o:siemens:scalance_sc642-2c_firmware, cpe:/o:siemens:scalance_x204-2ts_firmware, cpe:/o:siemens:scalance_s615_lan-router_firmware, cpe:/o:siemens:scalance_xr324-4m_eec_%2824v%2c_ports_on_front%29_firmware, cpe:/o:siemens:scalance_m876-4_%28eu%29_firmware, cpe:/o:siemens:scalance_xr324-4m_poe_ts_%2824v%2c_ports_on_front%29_firmware, cpe:/o:siemens:scalance_mum856-1_%28a1%29_firmware, cpe:/o:siemens:scalance_x302-7_eec_%2824v%29_firmware, cpe:/o:siemens:scalance_x308-2m_poe_firmware, cpe:/o:siemens:scalance_xf204-2ba_irt_firmware, cpe:/o:siemens:scalance_x201-3p_irt_pro_firmware, cpe:/o:siemens:scalance_xr324-12m_%28230v%2c_ports_on_rear%29_firmware, cpe:/o:siemens:scalance_wum763-1_%28us%29_firmware, cpe:/o:siemens:scalance_x308-2ld_firmware, cpe:/o:siemens:scalance_x302-7_eec_%282x_24v%2c_coated%29_firmware, cpe:/o:siemens:scalance_x216_firmware, cpe:/o:siemens:scalance_wab762-1_firmware, cpe:/o:siemens:scalance_xf202-2p_irt_firmware, cpe:/o:siemens:scalance_sc646-2c_firmware, cpe:/o:siemens:scalance_m874-3_3g-router_%28cn%29_firmware, cpe:/o:siemens:scalance_sc632-2c_firmware, cpe:/o:siemens:scalance_wam766-1_eec_%28me%29_firmware, cpe:/o:siemens:scalance_xr526-8_firmware, cpe:/o:siemens:scalance_m804pb_firmware, cpe:/o:siemens:scalance_xr324-4m_eec_%282x_100-240vac%2f60-250vdc%2c_ports_on_front%29_firmware, cpe:/o:siemens:scalance_xr522-12_firmware, cpe:/o:siemens:siplus_net_scalance_x202-2p_irt_firmware, cpe:/o:siemens:scalance_xr324-4m_poe_%28230v%2c_ports_on_front%29_firmware, cpe:/o:siemens:scalance_s615_eec_lan-router_firmware, cpe:/o:siemens:scalance_xr324-4m_eec_%282x_24v%2c_ports_on_front%29_firmware, cpe:/o:siemens:scalance_xc332_firmware, cpe:/o:siemens:scalance_mum856-1_%28b1%29_firmware, cpe:/o:siemens:scalance_xr502-32_firmware, cpe:/o:siemens:scalance_wub762-1_ifeatures_firmware, cpe:/o:siemens:scalance_wam763-1_%28us%29_firmware, cpe:/o:siemens:scalance_x204-2_firmware, cpe:/o:siemens:scalance_xf204-2_firmware, cpe:/o:siemens:scalance_sc636-2c_firmware, cpe:/o:siemens:scalance_x202-2irt_firmware, cpe:/o:siemens:scalance_x307-2_eec_%28230v%2c_coated%29_firmware, cpe:/o:siemens:scalance_x206-1_firmware, cpe:/o:siemens:scalance_m876-4_firmware, cpe:/o:siemens:scalance_wam766-1_firmware, cpe:/o:siemens:scalance_x204rna_%28hsr%29_firmware, cpe:/o:siemens:scalance_x307-2_eec_%2824v%29_firmware, cpe:/o:siemens:scalance_x302-7_eec_%28230v%2c_coated%29_firmware, cpe:/o:siemens:scalance_m876-3_firmware, cpe:/o:siemens:scalance_xr324-4m_eec_%2824v%2c_ports_on_rear%29_firmware, cpe:/o:siemens:scalance_xc432_firmware, cpe:/o:siemens:scalance_m874-3_firmware, cpe:/o:siemens:scalance_xc324-4_eec_firmware, cpe:/o:siemens:scalance_xr326-8_eec_firmware, cpe:/o:siemens:scalance_x308-2lh_firmware, cpe:/o:siemens:scalance_x204rna_eec_%28prp%29_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 6/9/2026

Vulnerability Publication Date: 6/9/2026

Reference Information

CVE: CVE-2025-15467

CWE: 787