Authentication Bypass Vulnerability in Siemens SIMATIC CP and SIPLUS ET 200SP Devices
A critical authentication bypass vulnerability, tracked as CVE-2025-40771 with a CVSS score of 9.8, has been discovered in Siemens SIMATIC CP and SIPLUS ET 200SP industrial communication modules. The flaw affects multiple device models, including SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, as well as SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL, CP 1543SP-1 ISEC, and CP 1543SP-1 ISEC TX RAIL, specifically all versions prior to V2.4.24. The vulnerability arises from improper authentication of configuration connections, which allows unauthenticated remote attackers to gain access to sensitive configuration data on affected devices. This issue is particularly severe because it does not require any prior authentication, enabling attackers to exploit the flaw remotely without credentials. The vulnerability could be leveraged to compromise the integrity and confidentiality of industrial control systems that rely on these modules for network communication. Siemens has acknowledged the vulnerability and has released advisories to inform customers of the affected product versions. The flaw was reported by Siemens ProductCERT, and the company has urged users to update to the latest firmware version (V2.4.24 or later) to mitigate the risk. Exploitation of this vulnerability could allow attackers to alter device configurations, potentially disrupting industrial processes or enabling further attacks within operational technology environments. The vulnerability is considered critical due to the widespread use of these modules in industrial automation and the potential impact on critical infrastructure. Security researchers have highlighted the risk of remote exploitation, emphasizing the need for immediate patching and network segmentation to protect vulnerable devices. Organizations are advised to review their asset inventories to identify affected devices and prioritize remediation efforts. In addition to patching, Siemens recommends implementing network security best practices, such as restricting access to configuration interfaces and monitoring for unauthorized connection attempts. The disclosure of CVE-2025-40771 underscores the ongoing challenges in securing industrial control systems against remote attacks. The vulnerability was publicly disclosed in mid-October 2025, and security advisories have been disseminated to raise awareness among industrial operators. The incident highlights the importance of timely vulnerability management and the need for robust authentication mechanisms in critical infrastructure devices. Failure to address this vulnerability could result in significant operational disruptions and potential safety risks in industrial environments. The security community continues to monitor for signs of exploitation in the wild, and organizations are encouraged to stay informed about further updates from Siemens and relevant CERTs.
Sources
Related Stories
Multiple Critical Vulnerabilities Disclosed in Industrial Control Systems by CISA
CISA released thirteen advisories detailing critical vulnerabilities affecting a range of industrial control system (ICS) products from major vendors including Rockwell Automation, Siemens, Hitachi Energy, Schneider Electric, and Delta Electronics. The advisories highlight severe security flaws such as missing authentication for critical functions, improper authorization, buffer overflows, SQL injection, and improper certificate validation. For Siemens TeleControl Server Basic, a vulnerability (CVE-2025-40765) allows unauthenticated remote attackers to obtain password hashes and perform authenticated operations on the database service, with a CVSS v3.1 score of 9.8, indicating critical risk. Rockwell Automation's FactoryTalk View Machine Edition and PanelView Plus 7 are susceptible to path traversal and improper authorization, potentially granting attackers unauthorized access to device file systems and sensitive diagnostic information. FactoryTalk ViewPoint is vulnerable to XML external entity injection, which could result in denial-of-service conditions. Siemens SiPass Integrated faces multiple issues, including buffer overflows and cross-site scripting, which could enable arbitrary code execution and unauthorized access. The Siemens SIMATIC ET 200SP Communication Processors have a missing authentication flaw that could allow attackers to access configuration data remotely. Siemens SINEC NMS is affected by a SQL injection vulnerability that could let low-privileged users escalate privileges. Siemens Solid Edge products are exposed to out-of-bounds read and write vulnerabilities, risking application crashes or code execution. Siemens HyperLynx and Industrial Edge App Publisher are vulnerable to type confusion, potentially leading to arbitrary code execution via crafted HTML pages. Hitachi Energy MACH GWS products have incorrect default permissions and improper validation issues, which could allow attackers to tamper with system files, cause denial of service, or perform man-in-the-middle attacks. The advisories provide technical details, affected product versions, and recommended mitigations, urging administrators to review and apply patches or workarounds. The vulnerabilities impact critical infrastructure sectors such as manufacturing, energy, water, and transportation, with products deployed worldwide. Many of the flaws are remotely exploitable with low attack complexity, increasing the urgency for remediation. CISA emphasizes the importance of timely action to prevent exploitation, as several vulnerabilities could lead to unauthorized access, data manipulation, or disruption of essential services. The advisories also reference the need to consult vendor-specific security updates for the most current information. Organizations are advised to assess their exposure, prioritize patching, and implement recommended security controls to mitigate these risks. The coordinated disclosure underscores the ongoing threat to ICS environments and the necessity for robust security practices across operational technology networks.
5 months ago
Siemens Issues Security Updates for Multiple Industrial and Engineering Products
**Siemens published security advisories for multiple products**, prompting both CISA ICS advisories and a Canadian Centre for Cyber Security alert covering a broad set of affected industrial/engineering software and OT-adjacent components. Reported issues include a **stored XSS** in *Siemens Polarion* (CVE-2025-40587; CVSS 7.6) where authenticated users can inject JavaScript via crafted document titles, and **local privilege escalation** paths in *Siemens SINEC NMS* and its *User Management Component (UMC)* (CVE-2026-25655, CVE-2026-25656; CVSS 7.8) that allow low-privileged users to modify configuration/search paths to load malicious DLLs and potentially gain elevated execution (including SYSTEM-level impact). Siemens also addressed a **missing authorization** condition affecting *Siveillance Video Management Servers* Webhooks/MIP Webhooks API (CVSS 6.3), enabling a read-only user to obtain full API access. Additional advisories cover file-parsing and third-party component risks that can lead to crashes or potential code execution. *Siemens NX* is affected by multiple **CGM file parsing** flaws (CVE-2026-22923/22924/22925; CVSS 7.8) that can be triggered when a user opens a malicious file, and *Siemens Solid Edge* includes an **out-of-bounds read** in the PS/IGES Parasolid translator when processing crafted IGS files (CVSS 7.8). *Desigo CC* and *SENTRON Powermanager* are impacted via the third-party *WIBU Systems CodeMeter Runtime* chain tied to **CVE-2023-38545** (curl SOCKS5 heap overflow; CVSS 8.8), with Siemens providing component update instructions. *Siemens SINEC OS* before V3.3 aggregates a large set of third-party CVEs across supported platforms, and *Siemens COMOS* advisories include multiple issues (up to CVSS 10) spanning potential code execution, DoS, data exposure, and access control violations; Siemens recommends updating where fixes are available and applying countermeasures where they are not yet released.
1 months ago
Siemens SIMATIC and SICAM Products Vulnerable to Trace-File Code Injection and Other Flaws
CISA published an ICS advisory warning that multiple **Siemens SIMATIC** controllers do not properly sanitize the contents of imported trace files, enabling **code injection** if an attacker can socially engineer a legitimate user into importing a specially crafted trace file. The affected product set includes a broad range of *SIMATIC* devices, including **SIMATIC Drive Controller CPU 1504D/1507D TF**, multiple **SIMATIC ET 200SP** CPU variants (including fail-safe models), and **SIMATIC S7-1500** CPUs, among others. CERT-FR also issued an advisory covering **multiple vulnerabilities in Siemens products**, listing impacts that include **remote code execution**, **denial of service**, and **indirect code injection (XSS)**, and enumerating overlapping affected systems such as the same *SIMATIC Drive Controller* and *SIMATIC ET 200SP* families. CERT-FR explicitly references **CVE-2025-40943** for several of these SIMATIC devices and additionally notes other Siemens components (e.g., **SICAM SIAPP SDK** versions prior to `2.1.7`), indicating the Siemens security updates/mitigations span more than one product line and vulnerability class beyond the trace-file injection issue highlighted by CISA.
5 days ago