As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.2
• ATTENTION: Low Attack Complexity
• Vendor: Siemens
• Equipment: Teamcenter Visualization
• Vulnerability: Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens Teamcenter Visualization V14.3: All versions prior to V14.3.0.14
• Siemens Teamcenter Visualization V2312: All versions prior to V2312.0010
• Siemens Teamcenter Visualization V2406: All versions prior to V2406.0008
• Siemens Teamcenter Visualization V2412: All versions prior to V2412.0004

3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.

CVE-2025-32454 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-32454. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• All affected products: Do not open untrusted WRL files in affected applications
• Teamcenter Visualization V14.3: Update to V14.3.0.14 or later version
• Teamcenter Visualization V2312: Update to V2312.0010 or later version
• Teamcenter Visualization V2406: Update to V2406.0008 or later version
• Teamcenter Visualization V2412: Update to V2412.0004 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-542540 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens SSA-542540

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 10.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: IPC RS-828A
• Vulnerability: Authentication Bypass by Spoofing

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access and compromise confidentiality, integrity and availability of the BMC and thus the entire system.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports the following rugged industrial PCs are affected:

• SIMATIC IPC RS-828A: All versions

3.2 VULNERABILITY OVERVIEW 3.2.1 AUTHENTICATION BYPASS BY SPOOFING CWE-290

AMI's SPx contains a vulnerability in the BMC where an attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.

CVE-2024-54085 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-54085. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available. Ensure access to the BMC network interface (X1P1) is limited to trusted networks only.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-446307 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• May 15, 2025: Initial Republication of Siemens SSA-446307

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable from adjacent network/low attack complexity
• Vendor: Siemens
• Equipment: VersiCharge AC Series EV Chargers
• Vulnerabilities: Missing Immutable Root of Trust in Hardware, Initialization of a Resource with an Insecure Default

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain control of the chargers through default Modbus port or execute arbitrary code by manipulating the M0 firmware.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1): All versions (CVE-2025-31929)
• Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1): All versions (CVE-2025-31929)
• Siemens IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2): All versions (CVE-2025-31929)
• Siemens IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1): All versions (CVE-2025-31929)
• Siemens UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0): All versions (CVE-2025-31929)
• Siemens UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0): All versions (CVE-2025-31929)
• Siemens UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Resi High End 40A w/15118 Hw (8EM1312-4CF18-0FA3): All versions (CVE-2025-31929)
• Siemens UL Resi High End 48A w/15118 Hw (8EM1312-5CF18-0FA3): All versions (CVE-2025-31929)
• Siemens VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): All versions (CVE-2025-31929)
• Siemens VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1): All versions (CVE-2025-31929)

3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING IMMUTABLE ROOT OF TRUST IN HARDWARE CWE-1326

The affected devices do not contain an Immutable Root of Trust in the M0 Hardware. An attacker with physical access to the device could use this to execute arbitrary code.

CVE-2025-31929 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31929. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188

The affected devices contain the Modbus service enabled by default. This could allow an attacker connected to the same network to remotely control the EV charger.

CVE-2025-31930 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-31930. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• (CVE-2025-31929) IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0), IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0), IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1), IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2), IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1), IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2), IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1), IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2), IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0), IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0), IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0), IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1), IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2), IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1), IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2), IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1), IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2), IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0), IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1), IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2), UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2), UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0), UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0), UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0), UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2), UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2), UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2), UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2), UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1), UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2), UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2), UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2), UL Resi High End 40A w/15118 Hw (8EM1312-4CF18-0FA3), UL Resi High End 48A w/15118 Hw (8EM1312-5CF18-0FA3), VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): Currently no fix is planned
• (CVE-2025-31930) IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0), IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0), IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1), IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2), IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1), IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2), IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1), IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2), IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0), IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0), IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0), IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1), IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2), IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1), IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2), IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1), IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2), IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0), IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1), IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2), UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2), UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0), UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0), UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0), UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2), UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2), UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2), UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2), UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1), UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2), UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2), UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2), VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): Update to V2.135 or later version. The latest version will be pushed to the device OTA if the charger is completely commissioned and connected to Siemens Device Management. Contact Siemens Customer Service for further assistance or troubleshooting.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-556937 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens Advisory SSA-556937

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: User Management Component (UMC)
• Vulnerabilities: Out-of-bounds Read, Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthenticated remote attacker to cause a denial-of-service condition.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens SIMATIC PCS neo V4.1: All versions
• Siemens SIMATIC PCS neo V5.0: All versions
• Siemens SINEC NMS: All versions
• Siemens SINEMA Remote Connect: All versions
• Siemens Totally Integrated Automation Portal (TIA Portal) V17: All versions
• Siemens Totally Integrated Automation Portal (TIA Portal) V18: All versions
• Siemens Totally Integrated Automation Portal (TIA Portal) V19: All versions
• Siemens Totally Integrated Automation Portal (TIA Portal) V20: All versions
• Siemens User Management Component (UMC): All versions prior to V2.15.1.1

3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS READ CWE-125

The affected products contain a out-of-bound read buffer overflow vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to cause a denial-of-service condition.

CVE-2025-30174 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30174. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS WRITE CWE-787

The affected products contain a out-of-bound write buffer overflow vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to cause a denial-of-service condition.

CVE-2025-30175 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30175. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.3 OUT-OF-BOUNDS READ CWE-125

The affected products contain a out-of-bound read buffer overflow vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to cause a denial-of-service condition.

CVE-2025-30176 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30176. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• All affected products: In non-networked scenarios/deployments block TCP ports 4002 and 4004 on machines with UMC installed. In addition if no RT server machines are used, port 4004 can be blocked completely
• SIMATIC PCS neo V4.1: Currently no fix is planned
• SIMATIC PCS neo V5.0, SINEMA Remote Connect: Currently no fix is available
• User Management Component (UMC): Update to V2.15.1.1 or later version
• SINEC NMS, Totally Integrated Automation Portal (TIA Portal) V17, Totally Integrated Automation Portal (TIA Portal) V18, Totally Integrated Automation Portal (TIA Portal) V19, Totally Integrated Automation Portal (TIA Portal) V20: Update UMC to V2.15.1.1 or later

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-614723 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens Advisory SSA-614723

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 10.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: OZW Web Servers
• Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the device with root privileges.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• OZW672: Versions prior to V8.0 (CVE-2025-26389)
• OZW672: Versions prior to V6.0 (CVE-2025-26390)
• OZW772: Versions prior to V8.0 (CVE-2025-26389)
• OZW772: Versions prior to V6.0 (CVE-2025-26390)

3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78

The web service in affected devices does not sanitize the input parameters required for the ex-exportDiagramPage endpoint. This could allow an unauthenticated remote attacker to execute arbitrary code with root privileges.

CVE-2025-26389 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-26389. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89

The web service of affected devices is vulnerable to SQL injection when checking authentication data. This could allow an unauthenticated remote attacker to bypass the check and authenticate as Administrator user.

CVE-2025-26390 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-26390. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

RandoriSec reported these vulnerabilities to Siemens reported these vulnerabilities to CISA.
Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• (CVE-2025-26389) OZW672, OZW772: Update to V8.0 or later version
• (CVE-2025-26389) OZW672, OZW772: Update to V8.0 or later version
• (CVE-2025-26390) OZW672: Update to V6.0 or later version
• (CVE-2025-26390) OZW772: Update to V6.0 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-047424 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• May 15, 2025: Initial Republication of Siemens SSA-047424

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: Polarion
• Vulnerabilities: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), Improper Restriction of XML External Entity Reference, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Observable Response Discrepancy

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow attackers to extract data, conduct cross-site scripting attacks or find out valid usernames.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Polarion V2310: All versions
• Polarion V2404: Versions prior to V2404.4 (CVE-2024-51444, CVE-2024-51445, CVE-2024-51446)
• Polarion V2404: Versions prior to V2404.2 (CVE-2024-51447)

3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89

The application insufficiently validates user input for database read queries. This could allow an authenticated remote attacker to conduct an SQL injection attack that bypasses authorization controls and allows to download any data from the application's database.

CVE-2024-51444 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-51444. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

The affected application contains a XML External Entity Injection (XXE) vulnerability in the docx import feature. This could allow an authenticated remote attacker to read arbitrary data from the application server.

CVE-2024-51445 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-51445. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

The file upload feature of the affected application improperly sanitizes xml files. This could allow an authenticated remote attacker to conduct a stored cross-site scripting attack by uploading specially crafted xml files that are later downloaded and viewed by other users of the application.

CVE-2024-51446 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-51446. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L).

3.2.4 OBSERVABLE RESPONSE DISCREPANCY CWE-204

The login implementation of the affected application contains an observable response discrepancy vulnerability when validating usernames. This could allow an unauthenticated remote attacker to distinguish between valid and invalid usernames.

CVE-2024-51447 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-51447. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Thales Digital Factory reported these vulnerabilities to Siemens.
Luis Manuel Alvarez Tapia from BorgWarner Luxembourg Automotive Systems SARL for reported CVE-2024-51444 to Siemens.
Siemens ProductCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Polarion V2404 (CVE-2024-51444, CVE-2024-51445, CVE-2024-51446): Update to V2404.4 or later version
• Polarion V2404 (CVE-2024-51447): Update to V2404.2 or later version
• Polarion V2310: Currently no fix is planned

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-162255 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• May 15, 2025: Initial Republication of Siemens SSA-162255

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIMATIC PCS neo
• Vulnerability: Insufficient Session Expiration

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SIMATIC PCS neo V4.1: All versions prior to V4.1 Update 3
• SIMATIC PCS neo V5.0: All versions prior to V5.0 Update 1

3.2 VULNERABILITY OVERVIEW 3.2.1 INSUFFICIENT SESSION EXPIRATION CWE-613

Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout.

CVE-2025-40566 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40566. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released new versions for the affected products and recommends updating to the latest versions:

• SIMATIC PCS neo V4.1: Update to V4.1 Update 3 or later version.
• SIMATIC PCS neo V5.0: Update to V5.0 Update 1 or later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-339086 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• May 15, 2025: Initial Republication of Siemens ProductCERT SSA-339086

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIRIUS 3RK3 Modular Safety System (MSS), SIRIUS Safety Relays 3SK2
• Vulnerabilities: Use of a Broken or Risky Cryptographic Algorithm, Missing Encryption of Sensitive Data, Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to retrieve and de-obfuscate safety password, eavesdrop connections, or retrieve sensitive information from certain data records.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SIRIUS 3RK3 Modular Safety System (MSS): All versions
• SIRIUS Safety Relays 3SK2: All versions

3.2 VULNERABILITY OVERVIEW 3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327

Affected devices only provide weak password obfuscation. An attacker with network access could retrieve and de-obfuscate the safety password used for protection against inadvertent operating errors.

CVE-2025-24007 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24007. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

The affected devices do not encrypt data in transit. An attacker with network access could eavesdrop the connection and retrieve sensitive information, including obfuscated safety passwords.

CVE-2025-24008 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24008. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

The affected devices do not require authentication to access critical resources. An attacker with network access could retrieve sensitive information from certain data records, including obfuscated safety passwords.

CVE-2025-24009 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24009. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Nikolai Puch, Johanna Latzel, and Ferdinand Jarisch from Fraunhofer AISEC reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens is preparing fixed versions and recommends countermeasures for products where fixes are not, or not yet available:

• SIRIUS 3RK3 Modular Safety System (MSS): Currently no fix is planned.
• SIRIUS Safety Relays 3SK2: Currently no fix is available.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Limit physical access to affected devices to trusted personnel.
• Ensure network isolation of the PROFINET interface to prevent access from unauthorized systems.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-222768 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• May 15, 2025: Initial Republication of Siemens ProductCERT SSA-222768

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 5.3
• ATTENTION: Exploitable from adjacent network/low attack complexity
• Vendor: Siemens
• Equipment: APOGEE PXC and TALON TC Series
• Vulnerability: Expected Behavior Violation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a partial denial of service and reduce network availability.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

• Siemens APOGEE PXC+TALON TC Series: All versions

3.2 VULNERABILITY OVERVIEW 3.2.1 EXPECTED BEHAVIOR VIOLATION CWE-440

The affected devices start sending unsolicited BACnet broadcast messages after processing a specific BACnet createObject request. This could allow an attacker residing in the same BACnet network to send a specially crafted message that results in a partial denial of service condition of the targeted device, and potentially reduce the availability of BACnet network. A power cycle is required to restore the device's normal operation.

CVE-2025-40555 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-40555. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Government Facilities, Healthcare and Public Health, Information Technology, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• APOGEE PXC+TALON TC Series (BACnet): Currently no fix is planned

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-718393 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens ProductCERT SSA-718393

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 2.1
• ATTENTION: Exploitable remotely
• Vendor: Siemens
• Equipment: Mendix OIDC SSO
• Vulnerability: Incorrect Privilege Assignment

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to modify the system and gain administrator read/write privileges.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

• Siemens Mendix OIDC SSO (Mendix 9 compatible): All versions
• Siemens Mendix OIDC SSO (Mendix 10 compatible): All versions before V4.0.0

3.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT PRIVILEGE ASSIGNMENT CWE-266

The Mendix OIDC SSO module grants read and write access to all tokens exclusively to the Administrator role, which could result in privilege misuse by an adversary modifying the module during Mendix development.

CVE-2025-40571 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40571. A base score of 2.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Financial Services, Healthcare and Public Health, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• All affected products: The default configuration of the OIDC.Token entity is set to restrict read/write access only to the administrator role. If this setting is not restrictive enough, the option arises to change the access rule of the specific entity, or to create a different user role to handle different administrative tasks.
• Mendix OIDC SSO (Mendix 9 compatible): Currently no fix is available.
• Mendix OIDC SSO (Mendix 10 compatible): Update to V4.0.0 or a later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-726617 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens ProductCERT SSA-726617

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable from adjacent network/low attack complexity
• Vendor: Siemens
• Equipment: MS/TP Point Pickup Module
• Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial of service condition that requires a power cycle to restore normal operation.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

• Siemens MS/TP Point Pickup Module: All versions

3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20

The affected devices improperly handle specific incoming BACnet MSTP messages. This could allow an attacker residing in the same BACnet network to send a specially crafted MSTP message that results in a denial of service condition of the targeted device. A power cycle is required to restore the device's normal operation.

CVE-2025-24510 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-24510. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Government Facilities, Healthcare and Public Health, Information Technology, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• MS/TP Point Pickup Module: Currently no fix is planned

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-668154 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens ProductCERT SSA-668154

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: RUGGEDCOM ROX II
• Vulnerabilities: Client-Side Enforcement of Server-Side Security

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker with a legitimate, highly privileged account on the web interface to get privileged code execution in the underlying OS of the affected products.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• RUGGEDCOM ROX MX5000: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1536: Versions prior to V2.16.5
• RUGGEDCOM ROX RX5000: Versions prior to V2.16.5
• RUGGEDCOM ROX MX5000RE: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1400: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1500: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1501: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1510: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1511: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1512: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1524: Versions prior to V2.16.5

3.2 VULNERABILITY OVERVIEW 3.2.1 CLIENT-SIDE ENFORCEMENT OF SERVER-SIDE SECURITY CWE-602

The 'ping' tool in the web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.

CVE-2025-32469 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-32469. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 CLIENT-SIDE ENFORCEMENT OF SERVER-SIDE SECURITY CWE-602

The 'tcpdump' tool in the web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.

CVE-2025-33024 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-33024. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 CLIENT-SIDE ENFORCEMENT OF SERVER-SIDE SECURITY CWE-602

The 'traceroute' tool in the web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.

CVE-2025-33025 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-33025. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• All affected products: Update to V2.16.5 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-301229 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• May 15, 2025: Initial Republication of Siemens SSA-301229

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Exploitable from adjacent network/low attack complexity
• Vendor: Siemens
• Equipment: SCALANCE LPE9403
• Vulnerabilities: Incorrect Permission Assignment for Critical Resource, Path Traversal: '.../...//', Use of Uninitialized Variable, NULL Pointer Dereference, Out-of-bounds Read, Stack-based Buffer Overflow, Authentication Bypass Using an Alternate Path or Channel, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could affect the confidentiality, integrity, and availability of affected devices.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SCALANCE LPE9403 (6GK5998-3GS00-2AC2): All versions (CVE-2025-40572, CVE-2025-40573, CVE-2025-40574, CVE-2025-40575, CVE-2025-40576, CVE-2025-40577, CVE-2025-40578, CVE-2025-40579, CVE-2025-40580)
• SCALANCE LPE9403 (6GK5998-3GS00-2AC2): All versions (CVE-2025-40581, CVE-2025-40582, CVE-2025-40583)

3.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

Affected devices do not properly assign permissions to critical resources. This could allow a non-privileged local attacker to access sensitive information stored on the device.

CVE-2025-40572 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40572. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 PATH TRAVERSAL: '.../...//' CWE-35

Affected devices are vulnerable to path traversal attacks. This could allow a privileged local attacker to restore backups that are outside the backup folder.

CVE-2025-40573 has been assigned to this vulnerability. A CVSS v3 base score of 4.4 has been assigned; the CVSS vector string is
(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40573. A base score of 6.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.3 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

Affected devices do not properly assign permissions to critical resources. This could allow a non-privileged local attacker to interact with the backup manager service.

CVE-2025-40574 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40574. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 USE OF UNINITIALIZED VARIABLE CWE-457

Affected devices do not properly validate incoming Profinet packets. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted malicious packet, which leads to a crash of the dcpd process.

CVE-2025-40575 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-40574. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.5 NULL POINTER DEREFERENCE CWE-476

Affected devices do not properly validate incoming Profinet packets. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted malicious packet, which leads to a crash of the dcpd process.

CVE-2025-40576 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-40576. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.6 OUT-OF-BOUNDS READ CWE-125

Affected devices do not properly validate incoming Profinet packets. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted malicious packet, which leads to a crash of the dcpd process.

CVE-2025-40577 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-40577. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.7 OUT-OF-BOUNDS READ CWE-125

Affected devices do not properly handle multiple incoming Profinet packets received in rapid succession. An unauthenticated remote attacker can exploit this flaw by sending multiple packets in a very short time frame, which leads to a crash of the dcpd process.

CVE-2025-40578 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-40578. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.8 STACK-BASED BUFFER OVERFLOW CWE-121

Affected devices are vulnerable to a stack-based buffer overflow. This could allow a non-privileged local attacker to execute arbitrary code on the device or to cause a denial of service condition.

CVE-2025-40579 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40579. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.9 STACK-BASED BUFFER OVERFLOW CWE-121

Affected devices are vulnerable to a stack-based buffer overflow. This could allow a non-privileged local attacker to execute arbitrary code on the device or to cause a denial of service condition.

CVE-2025-40580 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40580. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.10 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288

Affected devices are vulnerable to an authentication bypass. This could allow a non-privileged local attacker to bypass the authentication of the SINEMA Remote Connect Edge Client, and to read and modify the configuration parameters.

CVE-2025-40581 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40581. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.11 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78

Affected devices do not properly sanitize configuration parameters. This could allow a non-privileged local attacker to execute root commands on the device.

CVE-2025-40582 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40582. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.12 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Affected devices do transmit sensitive information in cleartext. This could allow a privileged local attacker to retrieve this sensitive information.

CVE-2025-40583 has been assigned to this vulnerability. A CVSS v3 base score of 4.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40583. A base score of 6.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Luca Borzacchiello from Nozomi Networks reported these vulnerabilities to Siemens.
Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Currently no fix is available
• SCALANCE LPE9403 (6GK5998-3GS00-2AC2)(CVE-2025-40572, CVE-2025-40573, CVE-2025-40574, CVE-2025-40579, CVE-2025-40580, CVE-2025-40581, CVE-2025-40582, CVE-2025-40583): Restrict access to authorized and trusted personal only
• SCALANCE LPE9403 (6GK5998-3GS00-2AC2)(CVE-2025-40575, CVE-2025-40576, CVE-2025-40577, CVE-2025-40578): Disable the Profinet Discovery and Configuration Protocol (DCP) service
• SCALANCE LPE9403 (6GK5998-3GS00-2AC2)(CVE-2025-40582): Only use trusted SINEMA Remote Connect Servers

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-327438 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• May 15, 2025: Initial Republication of Siemens SSA-327438

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.6
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: ECOVACS
• Equipment: DEEBOT Vacuum and Base Station
• Vulnerabilities: Use of Hard-coded Cryptographic Key, Download of Code Without Integrity Check

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to send malicious updates to the devices or execute code.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

ECOVACS reports the following DEEBOT vacuum and base station devices are affected:

• X1S PRO: Versions prior to 2.5.38
• X1 PRO OMNI: Versions prior to 2.5.38
• X1 OMNI: Versions prior to 2.4.45
• X1 TURBO: Versions prior to 2.4.45
• T10 Series: Versions prior to 1.11.0
• T20 Series: Versions prior to 1.25.0
• T30 Series: Versions prior to 1.100.0

3.2 VULNERABILITY OVERVIEW 3.2.1 Use of Hard-coded Cryptographic Key CWE-321

ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK. The key can be easily derived from the device serial number.

CVE-2025-30198 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-30198. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.2 Download of Code Without Integrity Check CWE-494

ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station.

CVE-2025-30199 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30199. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Use of Hard-coded Cryptographic Key CWE-321

ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived from the device serial number.

CVE-2025-30200 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-30200. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Dennis Giese, Braelynn Luedtke, and Chris Anderson reported these vulnerabilities to ECOVACS.

4. MITIGATIONS

ECOVACS has released software updates for the X1S PRO and X1 PRO OMNI. The remaining affected products will have updates available by May 31, 2025. Devices that support automatic updates will receive system update notifications. ECOVACS has proactively pushed the update to users, ensuring all users will be covered by May 31st. Users can complete the fix by performing the system update.

For more information, see ECOVACS security advisory.

Users can contact ECOVACS using information provided on their website.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• May 15, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 4.6
• ATTENTION: Low attack complexity
• Vendor: Schneider Electric
• Equipment: EcoStruxure Power Build Rapsody
• Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Schneider Electric EcoStruxure Power Build Rapsody is affected:

• EcoStruxure Power Build Rapsody: Version v2.7.12 FR and prior

3.2 VULNERABILITY OVERVIEW 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

A CWE-121 Stack-based Buffer Overflow vulnerability exists that could cause local attackers being able to exploit these issues to potentially execute arbitrary code while the end user opens a malicious project file (SSD file) provided by the attacker.

CVE-2025-3916 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-3916. A base score of 4.6 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Michael Heinzl reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

• EcoStruxure Power Build Rapsody: Version v2.8.2 FR of EcoStruxure Power Build Rapsody includes a fix for this vulnerability and is available for download.
• Store the project files in a secure storage and restrict the access to only trusted users.
• When exchanging files over the network, use secure communication protocols.
• Encrypt project files when stored.
• Only open project files received from a trusted source.
• Compute a hash of the project files and regularly check the consistency of this hash to verify the integrity before usage.
• Harden the workstation running EcoStruxure Power Build Rapsody

Schneider Electric strongly recommends the following industry cybersecurity best practices:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the "Program" mode.
• Never connect programming software to any network other than the network for the devices that it is intended.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow laptops that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems, and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information, see Schneider Electric security notification SEVD-2025-133-03.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• May 15, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: Service Suite
• Vulnerabilities: Use of Less Trusted Source, Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), Integer Overflow or Wraparound, Out-of-bounds Write, Allocation of Resources Without Limits or Throttling, Exposure of Sensitive Information to an Unauthorized Actor, Memory Allocation with Excessive Size Value, Out-of-bounds Read, Uncontrolled Resource Consumption, Improper Resource Shutdown or Release, Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality, integrity, or availability of affected devices.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Hitachi Energy reports the following products are affected:

• Service Suite: Versions 9.8.1.3 and prior

3.2 VULNERABILITY OVERVIEW 3.2.1 Use of Less Trusted Source CWE-348

Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may not send the X-Forwarded-* headers to the origin server due to the client-side Connection header hop-by-hop mechanism. This vulnerability can be exploited to bypass IP-based authentication on the origin server or application.

CVE-2022-31813 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-31813. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE-444

Some mod_proxy configurations on Service Suite product's Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP request smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.

CVE-2023-25690 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-25690. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Integer Overflow or Wraparound CWE-190

Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into making such a call, third-party modules or Lua scripts that use ap_strcmp_match() may hypothetically be affected.

CVE-2022-28615 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-28615. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.4 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE-444

An inconsistent interpretation of HTTP requests ('HTTP request smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.54 and prior, which are part of the Service Suite product.

CVE-2022-36760 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-36760. A base score of 9.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE-444

An HTTP response smuggling vulnerability exists in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server versions 2.4.30 through 2.4.55, which are part of the Service Suite product. Special characters in the origin response header can truncate or split the response forwarded to the client.

CVE-2023-27522 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2023-27522. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.6 Out-of-bounds Write CWE-787

A carefully crafted If: request header can cause a memory read or write of a single zero byte in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server versions 2.4.54 and earlier, which are part of the Service Suite product.

CVE-2006-20001 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2006-20001. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.7 Allocation of Resources Without Limits or Throttling CWE-770

In Apache HTTP Server 2.4.53 and earlier, which are part of the Service Suite product, a malicious request to a Lua script that calls r:parsebody(0) may cause a denial of service due to the lack of a default limit on possible input size.

CVE-2022-29404 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-29404. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.8 Exposure of Sensitive Information to an Unauthorized Actor CWE-200

Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.

CVE-2022-30556 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2022-30556. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.9 Memory Allocation with Excessive Size Value CWE-789

If Apache HTTP Server 2.4.53, which is part of the Service Suite product, is configured to perform transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.

CVE-2022-30522 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-30522. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.10 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE-444

An inconsistent interpretation of HTTP requests ('HTTP request smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product.

CVE-2022-26377 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2022-26377. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.11 Out-of-bounds Read CWE-125

An inconsistent interpretation of HTTP requests ('HTTP request smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product.

CVE-2023-31122 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-31122. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.12 Uncontrolled Resource Consumption CWE-400

An attacker opening an HTTP/2 connection with an initial window size of 0 can block the handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well-known "slow loris" attack pattern. This issue affects Apache HTTP Server versions 2.4.55 through 2.4.57, which are part of the Service Suite product.

CVE-2023-43622 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-43622. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.13 Improper Resource Shutdown or Release CWE-404

When an HTTP/2 stream is reset (RST frame) by a client, there is a time window where the request's memory resources are not immediately reclaimed. Instead, deallocation is deferred until the connection closes. A client can send new requests and resets, keeping the connection busy and open, causing the memory footprint to keep growing. Upon connection close, all resources are reclaimed, but the process might run out of memory before that. This issue affects Apache HTTP Server versions 2.4.17 through 2.4.57, which are part of the Service Suite product.

CVE-2023-45802 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-45802. A base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.14 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') CWE-113

In Apache HTTP Server versions prior to 2.4.55, which are part of the Service Suite product, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

CVE-2022-37436 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2022-37436. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.15 Exposure of Sensitive Information to an Unauthorized Actor CWE-200

The ap_rwrite() function in Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product, may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_lua's r:puts() function.

CVE-2022-28614 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2022-28614. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.16 Out-of-bounds Read CWE-125

Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product on Windows, may read beyond bounds when configured to process requests with the mod_isapi module.

CVE-2022-28330 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2022-28330. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy recommends affected users update to 9.8.1.4

For more information see the associated Hitachi Energy cybersecurity advisory 8DBD000209.

Hitachi Energy recommends security practices and firewall configurations to help protect process control networks from external attacks. These practices include ensuring that process control systems are physically protected from unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by a firewall system with a minimal number of exposed ports. Each case should be evaluated individually. Process control systems should not be used for Internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for viruses before being connected to a control system. Proper password policies and processes should also be followed.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000209

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Low attack complexity
• Vendor: Hitachi Energy
• Equipment: Relion 670/650/SAM600-IO Series
• Vulnerability: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

2. RISK EVALUATION

Successful exploitation of this vulnerability can allow an attacker to reboot the device and cause a denial-of-service condition.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Hitachi Energy reports the following products are affected:

• Relion 670/650/SAM600-IO series: Versions 2.2.2.0 up to but not including 2.2.2.6
• Relion 670/650/SAM600-IO series: Versions 2.2.3.0 up to but not including 2.2.3.7
• Relion 670/650/SAM600-IO series: Versions 2.2.4.0 up to but not including 2.2.4.4
• Relion 670/650/SAM600-IO series: Versions 2.2.5.6 up to but not including 2.2.5.6
• Relion 670/650/SAM600-IO series: 2.2.0.x
• Relion 670/650/SAM600-IO series: 2.2.1.x

3.2 VULNERABILITY OVERVIEW 3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW') CWE-120

A vulnerability exists in the input validation of the GOOSE messages where out of range values received and processed by the IED cause a reboot of the device. In order for an attacker to exploit the vulnerability, GOOSE receiving blocks need to be configured.

CVE-2023-4518 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-4518. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy identified the following specific workarounds and mitigations users can apply to reduce risk:

• Relion 670 series Version 2.2.2.x up to but not including 2.2.2.6: Update to Version 2.2.2.6
• Relion 670 series Version 2.2.3.x up to but not including 2.2.3.7: Update to Version 2.2.3.7
• Relion 670/650 series Version 2.2.4.x up to but not including 2.2.4.4: Update to Version 2.2.4.4
• Relion 670/650/SAM600-IO series Version 2.2.5.6 up to but not including 2.2.5.6: Update to Version 2.2.5.6
• Relion 670 series Version 2.2.0 all revisions and Relion 670/650/SAM600-IO series Version 2.2.1 all revisions: Apply general mitigations.

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000170 Cybersecurity Advisory - Improper Input Validation Vulnerability in Hitachi Energy's Relion® 670/650/SAM600-IO series Product.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000170

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: MACH GWS products
• Vulnerabilities: Improper Neutralization of Special Elements in Data Query Logic, Improper Limitation of a Pathname to a Restricted Directory, Authentication Bypass by Capture-replay, Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to inject code, read or modify files, hijack user sessions, or access exposed ports without authentication.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy products are affected:

• MACH GWS: Version 2.1.0.0 (CVE-2024-4872, CVE-2024-3980)
• MACH GWS: Versions 2.2.0.0 to 2.4.0.0 (CVE-2024-4872, CVE-2024-3980)
• MACH GWS: Versions 3.0.0.0 to 3.3.0.0 (CVE-2024-4872, CVE-2024-3980, CVE-2024-3982)
• MACH GWS: Versions 3.1.0.0 to 3.3.0.0 (CVE-2024-7940)

3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN DATA QUERY LOGIC CWE-943

A vulnerability exists in the query validation of the MACH GWS product. If exploited this could allow an authenticated attacker to inject code towards persistent data. Note that to successfully exploit this vulnerability an attacker must have a valid credential.

CVE-2024-4872 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-4872. A base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22

The MACH GWS product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.

CVE-2024-3980 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3980. A base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

An attacker with local access to machine where MACH GWS is installed, could enable the session logging supporting the product and try to exploit a session hijacking of an already established session.

Note: By default, the session logging level is not enabled and only users with administrator rights can enable it.

CVE-2024-3982 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3982. A base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The MACH GWS product exposes a service that is intended for local only to all network interfaces without any authentication.

CVE-2024-7940 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-7940. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 PRODUCT IMPACT

Additional product-specific impact for MACH GWS 2 affected product vulnerable to the CVE:

• CVE-2024-4872
• (Hitachi Energy MACH GWS 2): A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
• (Hitachi Energy MACH GWS 2) A CVSS v4.0 base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
• CVE-2024-3980
• (Hitachi Energy MACH GWS 2): A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
• (Hitachi Energy MACH GWS 2) A CVSS v4.0 base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.4 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.5 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy recommends that users update to the new versions listed below:

• MACH GWS Versions 3.0.0.0 to 3.3.0.0: Upgrade to version 3.4.0.0.
• MACH GWS Version 2.1.0.0: Apply the patch HF1 to HF6 sequentially.
• MACH GWS Versions 2.2.0.0 to 2.4.0.0: Apply the patch HF3 to HF6 sequentially.

For more information, visit the Hitachi Energy security advisory.

Hitachi Energy recommended security practices and firewall configurations can help protect a process control network from attacks originating outside the network. Such practices include ensuring that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by a firewall system with a minimal number of exposed ports, evaluated on a case-by-case basis. Process control systems should not be used for Internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for viruses before being connected to a control system. Proper password policies and processes should be followed.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000211

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: ABB
• Equipment: Automation Builder
• Vulnerabilities: Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to overrule the Automation Builder's user management.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Automation Builder are affected:

• Automation Builder: All versions

3.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

The affected products store all user management information in the project file. Despite the password data being fully encrypted, an attacker could try to modify parts of the Automation Builder project file by specially crafting contents so the user management will be overruled.

CVE-2025-3394 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3394. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

Automation Builder projects, including AC500 V2 or SM560-S devices, contain the application files for these devices. An attacker could try to modify parts of these files so the project can be changed by overruling the Automation Builder user management.

CVE-2025-3395 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-3395. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Jiho Shin from Sungkyunkwan University reported these vulnerabilities to CISA.

4. MITIGATIONS

ABB recommends users apply the following workarounds:

For CVE-2025-3394:

• In the project settings, set "Security" to "Integrity" check.

For CVE-2025-3395:

• In the project settings, set "Security" to "Encryption."

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• May 13, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Low attack complexity
• Vendor: Horner Automation
• Equipment: Cscape
• Vulnerability: Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to disclose information and execute arbitrary code.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Horner Automation Cscape, a control system application programming software, are affected:

• Cscape: Version 10.0 (10.0.415.2) SP1

3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS READ CWE-125

Horner Automation Cscape version 10.0 (10.0.415.2) SP1 is vulnerable to an out-of-bounds read vulnerability that could allow an attacker to disclose information and execute arbitrary code on affected installations of Cscape.

CVE-2025-4098 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-4098. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported this vulnerability to CISA.

4. MITIGATIONS

Horner Automation has released Cscape version 10.1 SP1 for download.

For more information, see Horner Automation's release notes.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• May 8, 2025: Initial Publication