Siemens releases six critical OT patches amid growing NIS2 vulnerability pressure

Between August and December 2025, Siemens issued six security advisories affecting critical OT infrastructure including RUGGEDCOM network switches, SIMATIC industrial PCs, and SINEMA remote access systems. The advisories highlight the accelerating patch burden facing NIS2-regulated operators as vulnerabilities compound faster than deployment cycles allow.

What happened

Siemens ProductCERT issued six security advisories between August 2025 and December 2025 covering vulnerabilities in operational technology products deployed across European critical infrastructure. The most severe affects SIMATIC IPC RS-828A industrial computers through an authentication bypass vulnerability in the Baseboard Management Controller that grants unauthorized system access¹. RUGGEDCOM ROS devices face a buffer overflow vulnerability enabling remote code execution for network-accessible attackers².

The RADIUS protocol vulnerability CVE-2024-3596, dubbed "Blastradius," impacts SCALANCE and RUGGEDCOM network infrastructure products through Access-Request packet forgery attacks³. SICAM Q100 and Q200 remote terminal units leak SMTP credentials to authenticated local attackers⁴. SINAMICS drive controllers suffer privilege escalation vulnerabilities⁵, while SINEMA Remote Connect Server versions before V3.2 SP4 contain multiple unspecified vulnerabilities⁶.

Siemens released patches for most affected products but acknowledged that "further fix versions are being prepared" for products where patches remain unavailable. The advisory timeline spans four months, indicating sustained vulnerability discovery in core OT infrastructure components.

Technical detail

The BMC authentication bypass in SIMATIC IPC RS-828A exploits the Redfish interface to compromise "confidentiality, integrity and availability of the BMC and thus the entire system"¹. Industrial PCs with compromised BMCs allow attackers to manipulate hardware functions including power management and system monitoring typically isolated from network access.

The RUGGEDCOM buffer overflow resides in a third-party component and requires only network access to the affected device². RUGGEDCOM switches often serve as the primary network infrastructure in substations and water treatment facilities, making remote code execution particularly damaging.

Blastradius attacks against RADIUS-enabled SCALANCE and RUGGEDCOM devices allow on-path attackers to "forge Access-Request packets in a way that enables them to modify the corresponding server response packet at will"³. The attack transforms Access-Reject messages into Access-Accept responses without valid credentials, bypassing network access controls entirely.

SICAM information disclosure vulnerabilities enable authenticated attackers to "extract the SMTP account password and use the configured SMTP service for arbitrary purposes"⁴. While requiring local authentication, the vulnerability allows lateral movement through compromised email infrastructure.

EU context

NIS2 Article 21 mandates that essential and important entities implement "measures to prevent and minimise the impact of incidents affecting network and information systems used for the provision of their services." Vulnerability management falls under basic cybersecurity measures required by October 2024.

The sustained patch release schedule from a single vendor illustrates the practical challenge facing operators under TIS2 implementation in Lithuania. NKSC bylaws require documented vulnerability response procedures but do not specify maximum patching timeframes, leaving operators to balance availability requirements against security obligations.

Siemens acknowledges that patches remain unavailable for some affected products, recommending "specific countermeasures" instead. This creates compliance uncertainty for NIS2-regulated entities that must demonstrate reasonable security measures without vendor-provided fixes.

The timeline pressure intensifies for operators managing mixed-vendor environments. Six advisories from Siemens alone over four months, multiplied across industrial automation suppliers, suggests patch deployment will consume increasing operational resources as vulnerability discovery accelerates.

Sectoral implication

Water and energy sectoral SOCs should establish vendor advisory monitoring processes that automatically flag critical severity advisories requiring emergency patching procedures. The BMC vulnerability in SIMATIC IPCs particularly affects supervisory systems that operators often consider isolated from network threats.

Operators should prioritize RUGGEDCOM network infrastructure patches given the remote code execution risk and the central role these switches play in OT network segmentation. Buffer overflow vulnerabilities in network devices can bypass other security controls entirely.

RADIUS-based network access control requires immediate review where SCALANCE or RUGGEDCOM devices authenticate users. The Blastradius attack allows complete authentication bypass, making existing access logs unreliable for incident investigation.

SICOM RTU deployments in remote substations and pumping stations should undergo credential rotation procedures after patching to ensure extracted SMTP passwords cannot enable persistent access. The local authentication requirement suggests the vulnerability targets maintenance or configuration interfaces.

Sectoral SOCs should prepare for sustained high patch volumes from industrial automation vendors. Six advisories in four months from one supplier indicates vulnerability management will require dedicated staffing rather than ad-hoc responses.