Authentication Bypass Vulnerability in Siemens SIMATIC CP and SIPLUS ET 200SP Devices
A critical authentication bypass vulnerability, tracked as CVE-2025-40771 with a CVSS score of 9.8, has been discovered in Siemens SIMATIC CP and SIPLUS ET 200SP industrial communication modules. The flaw affects multiple device models, including SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, as well as SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL, CP 1543SP-1 ISEC, and CP 1543SP-1 ISEC TX RAIL, specifically all versions prior to V2.4.24. The vulnerability arises from improper authentication of configuration connections, which allows unauthenticated remote attackers to gain access to sensitive configuration data on affected devices. This issue is particularly severe because it does not require any prior authentication, enabling attackers to exploit the flaw remotely without credentials. The vulnerability could be leveraged to compromise the integrity and confidentiality of industrial control systems that rely on these modules for network communication. Siemens has acknowledged the vulnerability and has released advisories to inform customers of the affected product versions. The flaw was reported by Siemens ProductCERT, and the company has urged users to update to the latest firmware version (V2.4.24 or later) to mitigate the risk. Exploitation of this vulnerability could allow attackers to alter device configurations, potentially disrupting industrial processes or enabling further attacks within operational technology environments. The vulnerability is considered critical due to the widespread use of these modules in industrial automation and the potential impact on critical infrastructure. Security researchers have highlighted the risk of remote exploitation, emphasizing the need for immediate patching and network segmentation to protect vulnerable devices. Organizations are advised to review their asset inventories to identify affected devices and prioritize remediation efforts. In addition to patching, Siemens recommends implementing network security best practices, such as restricting access to configuration interfaces and monitoring for unauthorized connection attempts. The disclosure of CVE-2025-40771 underscores the ongoing challenges in securing industrial control systems against remote attacks. The vulnerability was publicly disclosed in mid-October 2025, and security advisories have been disseminated to raise awareness among industrial operators. The incident highlights the importance of timely vulnerability management and the need for robust authentication mechanisms in critical infrastructure devices. Failure to address this vulnerability could result in significant operational disruptions and potential safety risks in industrial environments. The security community continues to monitor for signs of exploitation in the wild, and organizations are encouraged to stay informed about further updates from Siemens and relevant CERTs.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Siemens recommends firmware updates to remediate CVE-2025-40771
Siemens advised customers to update impacted devices to firmware version V2.4.24 or later to address the authentication bypass vulnerability. Siemens rated the issue Critical, with a CVSS v3.1 score of 9.8 and CVSS v4.0 score of 9.3.
Siemens publishes advisory for CVE-2025-40771
Siemens ProductCERT published advisory SSA-486936 for CVE-2025-40771, a critical authentication bypass affecting multiple SIMATIC CP and SIPLUS ET 200SP communication processor models. The flaw allows remote unauthenticated access to configuration data because affected devices do not properly authenticate configuration connections.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Critical Siemens Flaw CVE-2025-40771 (CVSS 9.8) Allows Unauthenticated Remote Access to SIMATIC CP Config
securityonline.info
Open sourceCVE-2025-40771 - Siemens SIMATIC CP and SIPLUS ET 200SP Configuration Authentication Bypass Vulnerability
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Critical Vulnerabilities Disclosed in Industrial Control Systems by CISA
CISA released thirteen advisories detailing critical vulnerabilities affecting a range of industrial control system (ICS) products from major vendors including Rockwell Automation, Siemens, Hitachi Energy, Schneider Electric, and Delta Electronics. The advisories highlight severe security flaws such as missing authentication for critical functions, improper authorization, buffer overflows, SQL injection, and improper certificate validation. For Siemens TeleControl Server Basic, a vulnerability (CVE-2025-40765) allows unauthenticated remote attackers to obtain password hashes and perform authenticated operations on the database service, with a CVSS v3.1 score of 9.8, indicating critical risk. Rockwell Automation's FactoryTalk View Machine Edition and PanelView Plus 7 are susceptible to path traversal and improper authorization, potentially granting attackers unauthorized access to device file systems and sensitive diagnostic information. FactoryTalk ViewPoint is vulnerable to XML external entity injection, which could result in denial-of-service conditions. Siemens SiPass Integrated faces multiple issues, including buffer overflows and cross-site scripting, which could enable arbitrary code execution and unauthorized access. The Siemens SIMATIC ET 200SP Communication Processors have a missing authentication flaw that could allow attackers to access configuration data remotely. Siemens SINEC NMS is affected by a SQL injection vulnerability that could let low-privileged users escalate privileges. Siemens Solid Edge products are exposed to out-of-bounds read and write vulnerabilities, risking application crashes or code execution. Siemens HyperLynx and Industrial Edge App Publisher are vulnerable to type confusion, potentially leading to arbitrary code execution via crafted HTML pages. Hitachi Energy MACH GWS products have incorrect default permissions and improper validation issues, which could allow attackers to tamper with system files, cause denial of service, or perform man-in-the-middle attacks. The advisories provide technical details, affected product versions, and recommended mitigations, urging administrators to review and apply patches or workarounds. The vulnerabilities impact critical infrastructure sectors such as manufacturing, energy, water, and transportation, with products deployed worldwide. Many of the flaws are remotely exploitable with low attack complexity, increasing the urgency for remediation. CISA emphasizes the importance of timely action to prevent exploitation, as several vulnerabilities could lead to unauthorized access, data manipulation, or disruption of essential services. The advisories also reference the need to consult vendor-specific security updates for the most current information. Organizations are advised to assess their exposure, prioritize patching, and implement recommended security controls to mitigate these risks. The coordinated disclosure underscores the ongoing threat to ICS environments and the necessity for robust security practices across operational technology networks.
Mar 21, 2026
Siemens SICAM 8 Flaws Expose OT Devices to Denial-of-Service
Siemens disclosed multiple vulnerabilities in **SICAM 8** industrial control system products affecting **CPCI85 Central Processing/Communication**, **RTUM85 RTU Base**, and the **SICORE Base system**, with vulnerable versions identified as releases prior to **V26.10** or **V26.10.0** depending on the product. The issues are tracked as **`CVE-2026-27663`** and **`CVE-2026-27664`**, and can allow denial-of-service conditions in operational technology environments. Siemens published advisory **`SSA-246443`**, while the Canadian Centre for Cyber Security and CISA both urged asset owners to review the vendor guidance and apply the recommended updates. According to CISA, **`CVE-2026-27663`** is a resource exhaustion flaw in remote operation mode that can block parameterization and may require a reset or reboot, while **`CVE-2026-27664`** is an out-of-bounds write triggered by specially crafted XML input that can crash the affected service. Siemens has released fixed versions and advised organizations to validate patches before deployment and harden network access with segmentation, firewalls, and VPNs; CISA further recommended minimizing internet exposure of control systems and isolating OT networks from business networks to reduce the risk of disruption.
Apr 2, 2026
Siemens Issues Security Updates for Multiple Industrial and Engineering Products
**Siemens published security advisories for multiple products**, prompting both CISA ICS advisories and a Canadian Centre for Cyber Security alert covering a broad set of affected industrial/engineering software and OT-adjacent components. Reported issues include a **stored XSS** in *Siemens Polarion* (CVE-2025-40587; CVSS 7.6) where authenticated users can inject JavaScript via crafted document titles, and **local privilege escalation** paths in *Siemens SINEC NMS* and its *User Management Component (UMC)* (CVE-2026-25655, CVE-2026-25656; CVSS 7.8) that allow low-privileged users to modify configuration/search paths to load malicious DLLs and potentially gain elevated execution (including SYSTEM-level impact). Siemens also addressed a **missing authorization** condition affecting *Siveillance Video Management Servers* Webhooks/MIP Webhooks API (CVSS 6.3), enabling a read-only user to obtain full API access. Additional advisories cover file-parsing and third-party component risks that can lead to crashes or potential code execution. *Siemens NX* is affected by multiple **CGM file parsing** flaws (CVE-2026-22923/22924/22925; CVSS 7.8) that can be triggered when a user opens a malicious file, and *Siemens Solid Edge* includes an **out-of-bounds read** in the PS/IGES Parasolid translator when processing crafted IGS files (CVSS 7.8). *Desigo CC* and *SENTRON Powermanager* are impacted via the third-party *WIBU Systems CodeMeter Runtime* chain tied to **CVE-2023-38545** (curl SOCKS5 heap overflow; CVSS 8.8), with Siemens providing component update instructions. *Siemens SINEC OS* before V3.3 aggregates a large set of third-party CVEs across supported platforms, and *Siemens COMOS* advisories include multiple issues (up to CVSS 10) spanning potential code execution, DoS, data exposure, and access control violations; Siemens recommends updating where fixes are available and applying countermeasures where they are not yet released.
May 14, 2026