Siemens and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued a coordinated advisory warning that several SIMOTION engineering tools contain a local privilege-escalation vulnerability that can give an attacker full SYSTEM control during software installation. Tracked as CVE-2025-43715 and carrying a CVSS v3.1 score of 8.1, the flaw resides in the Nullsoft Scriptable Install System (NSIS) runtime used by the affected Siemens packages. With no vendor fix yet available for some products, organizations that deploy SIMOTION tools on Windows engineering workstations in critical manufacturing environments must immediately apply compensating controls to block exploitation.
How the CVE-2025-43715 Flaw Works
The root cause lies in NSIS behavior on Windows before version 3.11. During an installation, NSIS creates a temporary plugins directory under the globally writable %WINDIR%\temp path. Because the internal function EW_CREATEDIR does not always set the Windows CreateRestrictedDirectory flag, an unprivileged local user can stage a race-condition attack. By dropping a malicious executable or DLL into that temporary directory before the installer loads it, the attacker’s code gets executed with the same high integrity level as the installer process—typically SYSTEM or an elevated administrative context. This turns a low-privilege foothold into complete host compromise.
This attack vector requires local code execution or file write capability on the target machine, hence the “Local” attack vector designation. However, engineering workstations in industrial control system (ICS) environments routinely run installers with elevated rights, are accessed by multiple users, and often interface with removable media and network shares. A successful local escalation therefore ripples outward, potentially allowing an adversary to modify control logic, steal commissioning credentials, or sabotage field device configurations.
Affected SIMOTION Products
Siemens’ ProductCERT advisory SSA-563922 lists the following SIMOTION tools and packages, all versions, as affected by CVE-2025-43715:
- SIMATIC Technology Package TPCamGen (6ES7823-0FE30-1AA0)
- SIMOTION OA MIIF (6AU1820-3DA20-0AB0)
- SIMOTION OACAMGEN (6AU1820-3EA20-0AB0)
- SIMOTION OALECO (6AU1820-3HA20-0AB0)
- SIMOTION OAVIBX (6AU1820-3CA20-0AB0)
Siemens explicitly notes that the vulnerability manifests only during the setup phase of these applications. This narrow but critical exposure window means defenders must focus on hardening the installation process rather than the runtime operation of the software.
Upstream NSIS Fix and the Patching Gap
Upstream NSIS maintainers corrected the improper directory creation handling in NSIS 3.11 by enforcing the CreateRestrictedDirectory flag consistently. However, the fix does not automatically reach end users. Siemens must rebuild and redistribute each affected installer bundle against the patched runtime. As of the advisory publication date (September 9, 2025), Siemens states that for certain products no fix is currently planned or available. Consequently, organizations cannot rely solely on traditional patch management; they must implement workarounds immediately.
CISA’s republication of the advisory as ICSA-25-254-01 reiterates that exploitation is local, highly complex, and requires the attacker to win a race condition. No known public exploitation specifically targeting this vulnerability has been reported to CISA, yet the agency warns that the combination of high impact and widespread ICS deployment warrants urgent defensive measures.
Why Local Escalation Matters in OT Environments
While a local privilege escalation attack may seem less dangerous than a remote code execution, the OT context amplifies its severity. Engineering workstations function as the command bridge to programmable logic controllers (PLCs), drives, and safety systems. SYSTEM-level access lets an attacker:
- Intercept or alter project files destined for field devices.
- Steal authentication tokens used by commissioning software.
- Install backdoors or rootkits that persist through machine re-imaging.
- Pivot laterally to other Windows hosts within the industrial zone.
Shared user accounts, infrequent patching, and the use of removable media make engineering hosts prime targets. A determined adversary who first compromises a standard user account can then wait for the next software install window to trigger the privilege escalation.
Immediate Mitigations: Stop, Harden, Monitor
Because the vulnerability is triggered only during installation, the primary short-term defense is to delay all non-essential deployments of affected SIMOTION tools. When installations are unavoidable, execute them inside a tightly controlled maintenance window.
1. Isolate the Installation Host
- Dedicate a clean administrative VM or a physical machine reserved solely for software setup.
- Ensure no other interactive users are logged on.
- Disconnect all network shares and removable drives that are not explicitly required.
- Remove unnecessary software and background processes that could interfere.
2. Restrict Write Access to the System Temp Directory
The attack relies on the attacker’s ability to write to %WINDIR%\temp. Hardening its permissions raises the exploitation bar significantly. As an elevated administrator, back up the current ACL and then grant modify rights only to SYSTEM and Administrators:
icacls "%WINDIR%\Temp" /save TempAclBackup /T
icacls "%WINDIR%\Temp" /inheritance:r /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F" "BUILTIN\Administrators:(OI)(CI)F"
Warning: Test this change in a non-production lab first. Some legitimate applications may fail if they expect write access for non-admin accounts.
3. Deploy Application Allowlisting
Configure Windows Defender Application Control (WDAC) or a third-party enforcement tool to block execution of binaries from %WINDIR%\temp and other temporary folders. This prevents the attacker’s planted payload from running even if the directory write succeeds.
4. Enable EDR and Sysmon Rules
Create custom detection rules to alert on:
- Creation of executable files (
.exe,.dll,.sys) inside%WINDIR%\tempby non-privileged users. - Installer processes (e.g.,
setup.exe,msiexec.exe) spawning child processes that access unusual paths. - DLL loads from temporary directories during an install sequence.
A sample Sysmon configuration snippet:
<RuleGroup name="Detect EXE creation in Windows Temp" groupRelation="and">
<FileCreateFile onmatch="include">
<TargetFilename condition="contains">%windir%\temp\;.exe</TargetFilename>
</FileCreateFile>
</RuleGroup>
Centralize telemetry from EDR and Sysmon to enable forensic analysis and post-incident review.
Medium- to Long-Term Strategy
Once immediate defensive measures are in place, engineering and security teams should build a sustainable remediation plan:
- Maintain a software bill of materials (SBOM) for engineering tools. Identify every installer that bundles NSIS or any third-party runtime. Cross-reference with Siemens ProductCERT advisories when updates appear.
- Adopt Privileged Access Workstations (PAWs) for all administrative tasks, especially software installation and firmware updates. PAWs are dedicated, hardened machines that minimize exposure to internet browsing, email, and removable media.
- Reduce user privileges on engineering hosts. Remove local administrator rights from day-to-day accounts and enforce Just-In-Time (JIT) elevation where possible.
- Subscribe to Siemens ProductCERT alerts and CISA ICS advisories. Create an internal ticketing workflow that triages each new advisory and tracks mitigation status until closure.
- Validate any future fixed installers. When Siemens releases rebuilds that incorporate NSIS 3.11, test them in an isolated environment before broad deployment. Verify that the installer creates directories with restricted access and that your EDR tools do not detect anomalous behavior.
Detection and Post-Compromise Indicators
Even with mitigations, assume that some installations may occur outside of controlled windows. Hunt for these signs of exploitation:
- New executable files timestamped during an install window and located in
%WINDIR%\tempor a subfolder. - Unusual access token elevation events (Event ID 4624 with elevated token) correlated with installer execution.
- Persistence mechanisms appearing immediately after a setup completes—new scheduled tasks, services, or Run registry keys.
- Network connections from the installer process to Internet endpoints (command-and-control callbacks).
Retain EDR and event logs for at least 90 days to support historical investigations. If a compromise is suspected, isolate the affected workstation and perform a full forensic re-image rather than attempting to clean the system.
Broader Implications for ICS Security
The SIMOTION advisory is part of a worrying trend affecting engineering toolchains throughout 2024–2025. Similar installer-based or unsafe deserialization flaws have impacted multiple vendors, often with the same consequence: local access on a workstation can quickly escalate to control over physical processes. Security programs must elevate the protection of engineering workstations to the same level as domain controllers or SCADA servers.
Engineering desktops are not just office computers; they are the pivot point between the IT and OT worlds. Hardening them—through application control, privileged access management, and aggressive monitoring—is not optional for organizations that operate critical infrastructure.
Next Steps for Teams
Distribute this concise checklist to IT, OT, and engineering leads:
- Halt all non-critical SIMOTION installations until a vendor fix is verified for your product.
- Run mandatory installs only on isolated, single-user hosts with no external media attached.
- Tighten
%WINDIR%\temppermissions and enforce application allowlisting. - Activate EDR detections tailored to installer race conditions.
- Bookmark Siemens ProductCERT SSA-563922 and monitor for updates; move to patched installers as soon as they are released.
Siemens ProductCERT remains the authoritative channel for remediation timelines. CISA will disseminate any follow-on alerts, but the ultimate path to resolution runs through the vendor’s release of rebuilt installers. Until that happens, the workarounds described here represent the best defense against a threat that, while not yet seen in the wild, is too dangerous to ignore in production environments.