CISA 2026-04-21

Siemens TPM 2.0

CVE-2025-2884

Machine-generated analysis · WAYSCloud LLM

The vulnerability affects multiple Siemens industrial computing products with TPM 2.0 modules. Fixed versions are available for some products while others remain under investigation.

Context

The advisory addresses a vulnerability in Siemens TPM 2.0 modules used across multiple industrial computing products. The advisory states that an out-of-bound read vulnerability could lead to information disclosure or denial of service of the TPM. Worth noting that some products have specific fixed firmware versions while others are listed as 'all/*' affected with no immediate fix.

Operator considerations

Check: Inventory all Siemens industrial computing products listed in the advisory
Patch: Update affected devices to the firmware versions specified by Siemens
Isolate: Restrict network access to TPM management interfaces if possible

From Cybersecurity and Infrastructure Security Agency ↗

The products listed below contain a vulnerability that could allow an attacker to perform an out-of-bound read, potentially leading to information disclosure or denial of service of the TPM. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.

The following versions of Siemens TPM 2.0 are affected:

SIMATIC CN 4100 vers:all/* (CVE-2025-2884)

SIMATIC Field PG M5 vers:all/* (CVE-2025-2884)

SIMATIC Field PG M6 vers:all/* (CVE-2025-2884)

SIMATIC IPC BX-32A vers:intdot/

Read the full advisory on CISA →