Google Chrome Type Confusion Vulnerability in Siemens Products

Act Now8.1SSA-365200Oct 14, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Multiple Siemens products (HyperLynx and Industrial Edge App Publisher) contain a type confusion vulnerability in the embedded Google Chrome browser component (prior to version 138.0.7204.96). This vulnerability allows a remote attacker to perform arbitrary code execution via a crafted HTML page when a user opens the page in the vulnerable application. Exploitation requires user interaction but does not require authentication or special privileges.

What this means

What could happen

An attacker could execute arbitrary code on Siemens engineering and deployment workstations by sending a crafted HTML page or luring a user to visit a malicious website. This could compromise design data, allow unauthorized changes to industrial configurations, or disrupt manufacturing operations.

Who's at risk

Manufacturing organizations using Siemens HyperLynx (PCB design and analysis tool) and Industrial Edge App Publisher (edge computing deployment platform) on engineering and edge computing workstations. This affects design teams, commissioning engineers, and OT operators who use these tools to develop, deploy, and manage manufacturing automation systems.

How it could be exploited

An attacker crafts a malicious HTML page that exploits a type confusion flaw in the embedded Chrome browser component. When an engineer or operator opens the page (via email, web link, or local access), the browser executes arbitrary code in the context of the Siemens application. The attacker gains the same privileges as the user running HyperLynx or Industrial Edge App Publisher.

Prerequisites

User must interact with a malicious HTML page or website (requires social engineering or local access)
Vulnerable version of HyperLynx or Industrial Edge App Publisher must be installed on the system

Remotely exploitable via crafted HTMLLow complexity attackActively exploited (KEV)No authentication required for attackAffects engineering workstations that may have access to production systems

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

HyperLynx< 2510.00012510.0001

Industrial Edge App Publisher< 1.23.51.23.5

Remediation & Mitigation

0/4

Do now

0/3

HyperLynx

HOTFIXUpdate HyperLynx to version 2510.0001 or later

Industrial Edge App Publisher

HOTFIXUpdate Industrial Edge App Publisher to version 1.23.5 or later

All products

WORKAROUNDDo not open untrusted or unexpected HTML files or links in affected applications

Long-term hardening

0/1

HARDENINGRestrict user access to affected workstations and disable internet browsing on engineering systems where feasible

CVEs (1)

CVE-2025-6554

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4e774ae9-3137-4460-8afe-079ed38cf44a