Nullsoft Scriptable Install System (NSIS) code used inside several SIMOTION setup components contains a local privilege‑escalation flaw that Siemens and U.S. cyber authorities have republished as a coordinated advisory, warning that installing affected SIMOTION Tools on Windows can allow an unprivileged local actor to escalate to SYSTEM during setup. (cisa.gov) (cert-portal.siemens.com)
Siemens ProductCERT published Security Advisory SSA‑563922 describing a local privilege‑escalation vulnerability (tracked as CVE‑2025‑43715) affecting a set of SIMOTION tools and packages. Siemens reports the issue is rooted in a weakness of Nullsoft Scriptable Install System (NSIS) behavior on Windows prior to NSIS 3.11, where a temporary plugins directory is created under %WINDIR%\temp in a way that can be abused by a low‑privileged user via a race condition. Siemens’ advisory lists specific affected SKUs and product names and notes that, for some of those products, no fix is currently available or planned — recommending mitigations and operational guidance in the meantime. (cert-portal.siemens.com)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) republished Siemens’ advisory as ICSA‑25‑254‑01, reiterating the high‑impact nature of the flaw (CVSS v3 = 8.1) and that exploitation is local only — but can yield SYSTEM privileges when a legitimate installation using the affected setup component is executed. CISA also reminds operators that Siemens ProductCERT is the authoritative channel for follow‑up on Siemens issues. (cisa.gov)
Independent vulnerability databases (NVD, Tenable, cvefeed and others) catalog CVE‑2025‑43715, show matching descriptions and severity, and point to the same root cause (EW_CREATEDIR not consistently setting CreateRestrictedDirectory) and remediation state for NSIS itself (fixed in NSIS 3.11 upstream). (nvd.nist.gov)
Until Siemens publishes fixed installer builds for the affected SIMOTION components, organizations that operate SIMOTION tools must assume elevated risk during installation windows and apply the compensating mitigations above: restrict installer execution, harden hosts, restrict write access to Windows temp paths, monitor installer activity with EDR/Sysmon, and maintain an aggressive inventory and patch‑triage process that treats engineering workstations as high‑value assets. Siemens ProductCERT and CISA will remain the primary channels for vendor guidance and advisory republication; track both and treat the SSA entries as the canonical remediation roadmap for affected Siemens products. (cert-portal.siemens.com)
Additional reading and verification resources (for operational teams): NVD / MITRE CVE entry for CVE‑2025‑43715, Tenable / cvefeed tracker pages, and the Siemens ProductCERT SSA‑563922 advisory. (nvd.nist.gov)
Source: CISA Siemens SIMOTION Tools | CISA
Siemens ProductCERT published Security Advisory SSA‑563922 describing a local privilege‑escalation vulnerability (tracked as CVE‑2025‑43715) affecting a set of SIMOTION tools and packages. Siemens reports the issue is rooted in a weakness of Nullsoft Scriptable Install System (NSIS) behavior on Windows prior to NSIS 3.11, where a temporary plugins directory is created under %WINDIR%\temp in a way that can be abused by a low‑privileged user via a race condition. Siemens’ advisory lists specific affected SKUs and product names and notes that, for some of those products, no fix is currently available or planned — recommending mitigations and operational guidance in the meantime. (cert-portal.siemens.com)The U.S. Cybersecurity and Infrastructure Security Agency (CISA) republished Siemens’ advisory as ICSA‑25‑254‑01, reiterating the high‑impact nature of the flaw (CVSS v3 = 8.1) and that exploitation is local only — but can yield SYSTEM privileges when a legitimate installation using the affected setup component is executed. CISA also reminds operators that Siemens ProductCERT is the authoritative channel for follow‑up on Siemens issues. (cisa.gov)
Independent vulnerability databases (NVD, Tenable, cvefeed and others) catalog CVE‑2025‑43715, show matching descriptions and severity, and point to the same root cause (EW_CREATEDIR not consistently setting CreateRestrictedDirectory) and remediation state for NSIS itself (fixed in NSIS 3.11 upstream). (nvd.nist.gov)
What exactly is wrong: technical anatomy
How the NSIS flaw works (plain terms)
- The installer runtime (NSIS) creates a temporary plugins directory while it runs, and historically it was created under %WINDIR%\temp on Windows.
- Because that directory can be created in a world‑writable location and the creation routine (EW_CREATEDIR) does not always set the Windows CreateRestrictedDirectory flag reliably, an unprivileged user can—via a race condition—place a malicious executable or DLL into the temporary location before the installer uses it.
- When the installer subsequently loads or executes items from that directory during setup, the attacker’s file can be loaded into the installer process and execute with the same privileges as the installer — often SYSTEM or an elevated administrative context — producing a local privilege escalation to SYSTEM. (nvd.nist.gov)
Why local but still high risk for ICS/OT
On a purely technical level the attack vector is local (the attacker must already have local access to the Windows host or be able to place files on it). However, engineering and commissioning workstations in industrial environments often run installers as privileged users, host project files, handle removable media and are used to perform high‑privilege operations against controllers and field equipment. A successful local escalation on those hosts can therefore jump from a seemingly isolated desktop compromise to full control over control‑system design or commissioning flows — a real safety and availability risk in critical manufacturing environments. Siemens and CISA explicitly classify affected product families as deployed worldwide in Critical Manufacturing contexts. (cert-portal.siemens.com)Affected products (what Siemens lists)
Siemens’ SSA‑563922 enumerates several SIMOTION tools and product SKUs reported as affected; the advisory marks each product as “All versions” and maps them to CVE‑2025‑43715. Representative affected items called out by Siemens include:- SIMATIC Technology Package TPCamGen (6ES7823‑0FE30‑1AA0) — All versions.
- SIMOTION OA MIIF (6AU1820‑3DA20‑0AB0) — All versions.
- SIMOTION OACAMGEN (6AU1820‑3EA20‑0AB0) — All versions.
- SIMOTION OALECO (6AU1820‑3HA20‑0AB0) — All versions.
- SIMOTION OAVIBX (6AU1820‑3CA20‑0AB0) — All versions. (cert-portal.siemens.com)
Verification and cross‑checks
Key technical facts have been cross‑checked against multiple independent sources:- The CVE description and the NSIS root cause (EW_CREATEDIR / CreateRestrictedDirectory race) appear in NVD and in numerous vulnerability trackers, which agree on the CVSS v3.1 base score 8.1 and the local, high‑impact vector. (nvd.nist.gov)
- Upstream NSIS documentation and issue trackers referenced in the CVE metadata indicate the code change/fix is associated with NSIS 3.11, corroborating vendor and tracking data that the upstream runtime has been fixed. Operators should therefore treat NSIS 3.11 as the corrected runtime baseline where feasible. (securityvulnerability.io)
- Siemens’ ProductCERT advisory SSA‑563922 and the CISA republication ICSA‑25‑254‑01 reiterate the affected product list, the CVE mapping, and the practical mitigation posture Siemens currently recommends for customers. (cert-portal.siemens.com)
Risk evaluation — real world impact and threat model
- Consequence on a compromised engineering host: SYSTEM privileges on a Windows engineering workstation can allow attackers to access credentials, modify project files, install drivers or signed modules used for commissioning, and operate vendor tools that communicate to PLCs or drives. That capability enables both data theft and direct manipulation of control logic or commissioning sequences.
- Exploitability: The vulnerability requires local placement of a crafted file and “winning” a race condition during installer execution. While that increases attack complexity relative to a simple remote exploit, it remains practically exploitable in many OT/IT scenarios: shared workstations, removable media use, or social engineering that convinces privileged staff to run an installer are common in ICS environments. CISA and Siemens characterize the issue as local but with high impact and significant operational risk. (cisa.gov)
- Likelihood of exploitation: As of the advisory the vendor and CISA report no known public exploitation specifically targeting this vulnerability; however the EPSS/scan‑tracker indicators for similar installer/loader vulnerabilities show adversaries and commodity tools routinely target installer flows and removable‑media vectors, so the absence of reported exploitation should not be treated as evidence of safety. (cisa.gov)
Vendor status and timeline
- Siemens published SSA‑563922 (published 2025‑09‑09) and CISA republished it as ICSA‑25‑254‑01 (initial republication shown as September 11, 2025). Siemens states some affected SIMOTION products currently have no fix planned or no fix currently available and that it is preparing fix versions where feasible. (cert-portal.siemens.com)
- Upstream NSIS appears to have a code correction in NSIS 3.11 addressing the CreateRestrictedDirectory handling, per NSIS release documentation and public trackers; however, vendors embedding a specific NSIS runtime version into their installers need to rebuild and re‑release the affected setup packages to benefit from that upstream fix. Siemens indicates that, until fixed installer builds are published, customers should apply compensating mitigations. (securityvulnerability.io)
Recommended mitigations — short term and medium term
The vendor and CISA list a number of mitigations; the following expands those into an actionable playbook for Windows administrators, OT/engineering leads, and security teams responsible for Siemens environments.Immediate (within hours)
- Delay noncritical installations. Postpone installation of any SIMOTION or related Siemens software on production engineering hosts until a fix or mitigated installer is available. Siemens explicitly notes the vulnerability applies only during installation. (cert-portal.siemens.com)
- Restrict installer execution windows. If installation is required, run it in a controlled maintenance window on a quarantined host with:
- No other users logged on.
- No unknown background programs running.
- No network shares or removable media connected except what is necessary for the install. (cert-portal.siemens.com)
- Run installs from a dedicated, isolated admin workstation. Use a known‑clean, hardened admin VM or jump host for performing installations, not a general‑purpose engineering station.
Short to medium (1–7 days)
- Harden write access to %WINDIR%\temp. Restrict NTFS permissions so that only SYSTEM and Administrators can write to %WINDIR%\temp. Test thoroughly: changing system temp permissions can impact legitimate software. Implement via Group Policy only after validation in a lab. (This raises the bar for the race‑condition exploit because unprivileged users cannot place executables there.) (vulert.com)
- Use application allowlisting. Configure Windows Defender Application Control or a reputable EDR to block execution of binaries from %WINDIR%\temp and other temporary locations, and generate alerts for creation/execution of EXE/DLL files from those paths.
- EDR/Sysmon rules for installer activity. Deploy detections to monitor:
- Creation of executable files under %WINDIR%\temp by non‑admin accounts.
- Unexpected child processes of installer executables (msiexec, setup.exe, etc.).
- DLL loads from unexpected paths during installer runtime.
A short detection rule list and Sysmon config tailored for installer race conditions can catch abuse attempts early.
Medium to long term (weeks to months)
- Inventory and update strategy. Compile a complete inventory of Siemens/third‑party installers used across engineering and provisioning flows. Cross‑reference installed product versions against Siemens ProductCERT advisories (SSA pages) and MITRE/NVD. Prioritize updating any installers rebuilt with NSIS 3.11 (when Siemens publishes fix builds) and deploy them through controlled channels. (cert-portal.siemens.com)
- Remove unneeded local admin rights. Apply least privilege to engineering accounts. Use dedicated privileged‑access workstations (PAWs) for high‑risk actions like software installation or firmware updates.
- Harden workstation hygiene and media policies. Ban or tightly control removable media and staging directories on engineering desktops, particularly during maintenance windows.
Practical Windows hardening commands and sample checks
- To check current NTFS permissions on %WINDIR%\temp:
- Open an elevated PowerShell prompt and run:
- (Get‑ACL "$env:windir\Temp").Access
- To tighten write permissions (EXAMPLE — test first in lab):
- Back up existing ACLs: icacls %WINDIR%\Temp /save TempAclBackup /T
- Grant only Administrators and SYSTEM modify rights: icacls %WINDIR%\Temp /inheritance:r /grant:r "NT AUTHORITY\SYSTEM
OI)(CI)F" "BUILTIN\Administrators OI)(CI)F" - To add a Sysmon rule (example) that alerts on EXE creation in Windows Temp by non‑admin accounts, add an EventFiltering rule in Sysmon to monitor CreateFile events where ImagePath contains %windir%\temp and SubjectUserName not in Administrators. (Test rule performance before broad roll‑out.)
Detection and post‑compromise indicators
Look for the following signs which may indicate attempted or successful exploitation during an installation window:- Unexpected executable (.exe) or DLL files created in %WINDIR%\temp or setup‑specific temp paths.
- Installer process spawning child processes that drop files into system folders.
- New scheduled tasks, services, or registry Run keys created shortly after an installation.
- Anomalous creation of privileged tokens or elevation requests during or immediately after installers run.
Operational tradeoffs and recommended governance
- Siemens has a mixed remediation posture across product families: for some SIMOTION SKUs they intend to prepare fix builds, while for others they list no fix planned. That mixed stance forces operational risk‑management decisions: patch when vendor fixes arrive, but otherwise apply compensating controls and consider short‑term replacement or removal of the risky component from production workflows. (cert-portal.siemens.com)
- CISA’s republication and guidance reiterate that Siemens ProductCERT is the authoritative source for updates. Organizations should subscribe to Siemens ProductCERT advisories and implement a process to triage each SSA entry into an internal change and patch backlog. (cisa.gov)
Broader context: trend in engineering tool vulnerabilities
This SIMOTION/NSIS issue is one of a string of advisories affecting Siemens engineering and management toolchains across 2024–2025. Many of these have involved unsafe deserialization, XML external entity (XXE) weaknesses, DLL‑hijacking or installer‑time issues that allow local or adjacent network exploitation of engineering workstations. The common thread is that engineering tools — often run with elevated rights on Windows workstations — provide a high‑value target whose compromise has outsized downstream operational consequences. Security teams must therefore treat engineering workstations with the same rigor applied to servers and critical endpoints.What to tell operations and engineering teams (plain guidance)
- Do not run Siemens SIMOTION installers on production engineering workstations unless absolutely necessary and only during controlled maintenance windows.
- If you must install: ensure the host is isolated, single‑user logged on, with no external removable media attached, and run the installer from a known cleaned admin VM.
- Apply host hardening (application allowlisting, restrict write access to system temp directories, EDR detections) and centralize logs for immediate review after any install.
- Track Siemens ProductCERT (SSA‑563922 and follow‑ups) for updated installers rebuilt against NSIS 3.11 or explicit vendor fixes. (cert-portal.siemens.com)
Remaining uncertainties and flagged claims
- Siemens indicates some affected SIMOTION products have no fix planned; that is the vendor’s declared position at publication. This is a factual statement reported by the vendor, but it is also subject to change if Siemens later decides to ship fixed builds. Organizations should treat "no fix planned" as a current state, re‑verify product pages for updates, and plan mitigations accordingly. (cert-portal.siemens.com)
- Upstream NSIS appears to include a correction in 3.11; whether each Siemens installer will be rebuilt immediately against that upstream runtime is currently a timing and engineering question for Siemens. Until Siemens publishes rebuilt installers or replacement packages, the practical mitigation is to follow vendor and CISA guidance for controlled installations. (securityvulnerability.io)
Quick checklist (for immediate distribution to IT/OT teams)
- Pause non‑urgent SIMOTION installs; schedule critical installs under change control. (cert-portal.siemens.com)
- For required installs: isolate the install host, ensure single user, remove unnecessary drives/shares. (cert-portal.siemens.com)
- Restrict write access to %WINDIR%\temp (test in lab). (vulert.com)
- Block execution from temp directories via allowlisting/EDR; add detections for installer process anomalies.
- Subscribe to Siemens ProductCERT SSA updates and CISA ICS advisories; triage and track remediation tickets. (cert-portal.siemens.com)
Conclusion
CVE‑2025‑43715 is a textbook example of how an installer/runtime assumption — in this case, temporary directory creation semantics inside NSIS — can translate into high‑impact outcomes when that runtime is used to deliver engineering software in critical manufacturing environments. The technical fix exists upstream (NSIS 3.11), but the operational reality is that vendors embedding a specific runtime must rebuild and re‑release installers for their products — a process that can lag behind the upstream correction.Until Siemens publishes fixed installer builds for the affected SIMOTION components, organizations that operate SIMOTION tools must assume elevated risk during installation windows and apply the compensating mitigations above: restrict installer execution, harden hosts, restrict write access to Windows temp paths, monitor installer activity with EDR/Sysmon, and maintain an aggressive inventory and patch‑triage process that treats engineering workstations as high‑value assets. Siemens ProductCERT and CISA will remain the primary channels for vendor guidance and advisory republication; track both and treat the SSA entries as the canonical remediation roadmap for affected Siemens products. (cert-portal.siemens.com)
Additional reading and verification resources (for operational teams): NVD / MITRE CVE entry for CVE‑2025‑43715, Tenable / cvefeed tracker pages, and the Siemens ProductCERT SSA‑563922 advisory. (nvd.nist.gov)
Source: CISA Siemens SIMOTION Tools | CISA