CVE-2025-2884: Siemens TPM 2.0 Out-of-Bounds Read — Detection and Remediation Guide

On January 20, 2026, CISA released advisory ICSA-26-111-01 regarding a critical security flaw affecting multiple Siemens products utilizing Trusted Platform Module (TPM) 2.0 technology. Identified as CVE-2025-2884, this vulnerability stems from an out-of-bounds read condition that could allow an authenticated attacker with local access to trigger an information disclosure event or a denial-of-service (DoS) condition.

For defenders in Operational Technology (OT) and industrial environments, this is a high-priority issue. The TPM is a foundational component for hardware-rooted trust, responsible for securing credentials, encryption keys, and system integrity measurements. A successful exploit could undermine the confidentiality of sensitive cryptographic material or disrupt critical industrial computing processes.

Technical Analysis

Vulnerability Details

• CVE ID: CVE-2025-2884
• Vulnerability Type: Out-of-Bounds Read (CWE-125)
• Affected Component: TPM 2.0 firmware implementation on specific Siemens platforms.
• Impact: Information Disclosure (reading sensitive memory contents) and Denial of Service (TPM crash).

Affected Products and Versions The vulnerability impacts specific SIMATIC Industrial PCs (IPCs) and Field PGs:

• SIMATIC CN 4100: All versions (vers: all/*)
• SIMATIC Field PG M5: All versions (vers: all/*)
• SIMATIC Field PG M6: All versions (vers: all/*)
• SIMATIC IPC BX-32A: Versions earlier than 29.01.09 (vers: intdot/< 29.01.09)
• SIMATIC IPC BX-39A: Versions earlier than 29.01.09 (vers: intdot/< 29.01.09)
• SIMATIC IPC BX-56A: Versions earlier than 32.01.09 (vers: intdot/< 32.01.09)

Exploitation Mechanics The vulnerability exists in how the TPM handles memory addressing operations. An attacker with local access—perhaps via a compromised lower-privilege process or malicious service—could send a specifically crafted command to the TPM device. This command triggers an out-of-bounds read, allowing the attacker to read data from adjacent memory addresses.

In a defense context, the primary risks are:

1. Key Extraction: While difficult, memory disclosure could expose portions of encryption keys or platform configuration registers (PCRs).
2. Operational Disruption (DoS): Triggering a crash in the TPM often results in a system halt or boot failure ( BitLocker recovery scenarios), causing downtime in HMI or engineering stations.

Exploitation Status As of the advisory release, CISA has not confirmed active exploitation in the wild. However, the nature of the flaw (local access required) makes it a prime candidate for privilege escalation in scenarios where an attacker has already gained a foothold via other means.

Detection & Response

Detecting an out-of-bounds read attempt on a hardware TPM module via traditional log sources is challenging. However, defenders can hunt for symptoms of exploitation (system crashes) and attempts to interact with the TPM interface using non-standard tools.

Sigma Rules

The following rules identify suspicious interactions with the TPM interface and system instability indicative of a potential DoS exploit.

---
title: Potential Siemens TPM Exploitation - Direct Device Access
id: 9c8f7d1e-2b3a-4c5d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects processes attempting to interact directly with the TPM device handle (\\.\\TPM), which is uncommon for standard software and may indicate exploitation attempts on vulnerable Siemens IPCs.
author: Security Arsenal
date: 2026/04/06
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-01
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - '\\\\.\\\\TPM'
      - '\\\\.\\\\Tpm0'
  condition: selection
falsepositives:
  - Legitimate administrative TPM management tools (rare)
level: high
---
title: Siemens IPC - Unexpected Reboot (Potential TPM DoS)
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects unexpected system reboots or kernel-power failures on Siemens SIMATIC devices which could indicate a successful Denial-of-Service attack against the TPM (CVE-2025-2884).
author: Security Arsenal
date: 2026/04/06
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-111-01
tags:
  - attack.impact
  - attack.t1529
logsource:
  product: windows
  service: system
detection:
  selection:
    EventID: 41
    Provider_Name: 'Microsoft-Windows-Kernel-Power'
  filter_siemens:
    Computer|contains:
      - 'SIMATIC'
      - 'IPC'
  condition: selection and filter_siemens
falsepositives:
  - Legitimate power outages or manual restarts by operators
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for unexpected kernel-power failures specifically on endpoints that match the naming convention of the affected Siemens IPC models.

DeviceEvents
| where ActionType == "KernelPnpDeviceConfigurationChanged" or ActionType contains "Power"
| extend DeviceName = tostring(DeviceInfo)
| where DeviceName has "SIMATIC" 
| project Timestamp, DeviceName, ActionType, AdditionalFields
| join kind=inner (
    DeviceProcessEvents 
    | where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "unknown")
) on DeviceName
| where Timestamp > ago(1d)
| summarize count() by bin(Timestamp, 1h), DeviceName

Velociraptor VQL

Use this VQL artifact to audit the BIOS version of the local machine against the vulnerable versions listed in the advisory.

-- Hunt for vulnerable Siemens TPM 2.0 Implementations
SELECT 
  OSInfo.ProductName AS Product,
  OSInfo.Version AS OSVersion,
  HardwareInfo.SystemManufacturer AS Manufacturer,
  HardwareInfo.SystemProductName AS Model,
  HardwareInfo.BiosSMBIOSBIOSVersion AS BiosVersion
FROM info()
WHERE Model =~ 'SIMATIC'
  AND (
      (Model =~ 'BX-32A' AND BiosVersion < '29.01.09') OR
      (Model =~ 'BX-39A' AND BiosVersion < '29.01.09') OR
      (Model =~ 'BX-56A' AND BiosVersion < '32.01.09') OR
      (Model =~ 'CN 4100') OR
      (Model =~ 'Field PG M5') OR
      (Model =~ 'Field PG M6')
  )

Remediation Script (PowerShell)

This script performs an automated vulnerability assessment against the CVE-2025-2884 affected products. It queries the system model and BIOS version, compares them against the advisory thresholds, and outputs a remediation status.

# CVE-2025-2884 Siemens TPM 2.0 Vulnerability Assessment
# Requires Administrator Privileges

Write-Host "[+] Starting Siemens TPM 2.0 Vulnerability Check (CVE-2025-2884)..." -ForegroundColor Cyan

$ComputerSystem = Get-CimInstance -ClassName Win32_ComputerSystem
$BIOS = Get-CimInstance -ClassName Win32_BIOS
$Model = $ComputerSystem.Model
$BiosVersion = $BIOS.SMBIOSBIOSVersion
$IsVulnerable = $false
$RecommendedVersion = $null

# Normalize Model strings for matching
$ModelClean = $Model.Trim().ToUpper()

Write-Host "[+] Detected Model: $Model" -ForegroundColor White
Write-Host "[+] Detected BIOS Version: $BiosVersion" -ForegroundColor White

# Check Logic based on CISA Advisory ICSA-26-111-01
if ($ModelClean -like "*SIMATIC IPC BX-32A*") {
    # Vulnerable if < 29.01.09
    if ([version]$BiosVersion -lt [version]"29.01.09") {
        $IsVulnerable = $true
        $RecommendedVersion = "29.01.09"
    }
}
elseif ($ModelClean -like "*SIMATIC IPC BX-39A*") {
    # Vulnerable if < 29.01.09
    if ([version]$BiosVersion -lt [version]"29.01.09") {
        $IsVulnerable = $true
        $RecommendedVersion = "29.01.09"
    }
}
elseif ($ModelClean -like "*SIMATIC IPC BX-56A*") {
    # Vulnerable if < 32.01.09
    if ([version]$BiosVersion -lt [version]"32.01.09") {
        $IsVulnerable = $true
        $RecommendedVersion = "32.01.09"
    }
}
elseif ($ModelClean -like "*SIMATIC CN 4100*" -or 
       $ModelClean -like "*SIMATIC FIELD PG M5*" -or 
       $ModelClean -like "*SIMATIC FIELD PG M6*") {
    # Advisory states "all/*" versions are affected
    $IsVulnerable = $true
    $RecommendedVersion = "Latest Vendor Firmware"
}

if ($IsVulnerable) {
    Write-Host "[!] ALERT: System is VULNERABLE to CVE-2025-2884." -ForegroundColor Red
    Write-Host "    Action Required: Update BIOS/Firmware to version $RecommendedVersion or later." -ForegroundColor Red
    Write-Host "    Reference: https://support.industry.siemens.com/cs/ww/en/view/109812035/" -ForegroundColor Yellow
    Exit 1
}
else {
    Write-Host "[+] System appears to be PATCHED or NOT AFFECTED based on current BIOS version." -ForegroundColor Green
    Exit 0
}

Remediation

Siemens has released updated firmware versions to mitigate CVE-2025-2884. Immediate patching is strongly recommended.

1. Patching Instructions

• SIMATIC IPC BX-32A: Update to version 29.01.09 or later.
• SIMATIC IPC BX-39A: Update to version 29.01.09 or later.
• SIMATIC IPC BX-56A: Update to version 32.01.09 or later.
• SIMATIC CN 4100 / Field PG M5 / M6: Update to the latest firmware versions released by Siemens (check the Siemens Security Advisory).

2. Workarounds (If patching is delayed) If immediate patching is not possible, Siemens recommends applying strict access controls to ensure only authorized personnel have local access to the affected devices. Limiting local access reduces the attack surface, as the vulnerability requires local execution.

3. CISA Recommendations CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, organizations should:

• Ensure all industrial control systems (ICS) assets are behind firewalls and isolated from the business network.
• Remotely monitor these systems for suspicious activity.

For detailed firmware downloads and installation guides, refer to the official Siemens Security Advisory (SSA-456432).

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub