Author: itwadmin-security

​In what experts are calling a novel legal outcome, the 22-year-old former administrator of the cybercrime community Breachforums will forfeit nearly $700,000 to settle a civil lawsuit from a health insurance company whose customer data was posted for sale on the forum in 2023. Conor Brian Fitzpatrick, a.k.a. “Pompompurin,” is slated for resentencing next month after pleading guilty to access device fraud and possession of child sexual abuse material (CSAM). 

In what experts are calling a novel legal outcome, the 22-year-old former administrator of the cybercrime community Breachforums will forfeit nearly $700,000 to settle a civil lawsuit from a health insurance company whose customer data was posted for sale on the forum in 2023. Conor Brian Fitzpatrick, a.k.a. “Pompompurin,” is slated for resentencing next month after pleading guilty to access device fraud and possession of child sexual abuse material (CSAM).

On January 18, 2023, denizens of Breachforums posted for sale tens of thousands of records — including Social Security numbers, dates of birth, addresses, and phone numbers  — stolen from Nonstop Health, an insurance provider based in Concord, Calif.

Class-action attorneys sued Nonstop Health, which added Fitzpatrick as a third-party defendant to the civil litigation in November 2023, several months after he was arrested by the FBI and criminally charged with access device fraud and CSAM possession. In January 2025, Nonstop agreed to pay $1.5 million to settle the class action.

Jill Fertel is a former federal prosecutor who runs the cyber litigation practice at Cipriani & Warner, the law firm that represented Nonstop Health. Fertel told KrebsOnSecurity this is the first and only case where a cybercriminal or anyone related to the security incident was actually named in civil litigation.

“Civil plaintiffs are not at all likely to see money seized from threat actors involved in the incident to be made available to people impacted by the breach,” Fertel said. “The best we could do was make this money available to the class, but it’s still incumbent on the members of the class who are impacted to make that claim.”

Mark Rasch is a former federal prosecutor who now represents Unit 221B, a cybersecurity firm based in New York City. Rasch said he doesn’t doubt that the civil settlement involving Fitzpatrick’s criminal activity is a novel legal development.

“It is rare in these civil cases that you know the threat actor involved in the breach, and it’s also rare that you catch them with sufficient resources to be able to pay a claim,” Rasch said.

Despite admitting to possessing more than 600 CSAM images and personally operating Breachforums, Fitzpatrick was sentenced in January 2024 to time served and 20 years of supervised release. Federal prosecutors objected, arguing that his punishment failed to adequately reflect the seriousness of his crimes or serve as a deterrent.

Indeed, the same month he was sentenced Fitzpatrick was rearrested (PDF) for violating the terms of his release, which forbade him from using a computer that didn’t have court-required monitoring software installed.

Federal prosecutors said Fitzpatrick went on Discord following his guilty plea and professed innocence to the very crimes to which he’d pleaded guilty, stating that his plea deal was “so BS” and that he had “wanted to fight it.” The feds said Fitzpatrick also joked with his friends about selling data to foreign governments, exhorting one user to “become a foreign asset to china or russia,” and to “sell government secrets.”

In January 2025, a federal appeals court agreed with the government’s assessment, vacating Fitzpatrick’s sentence and ordering him to be resentenced on June 3, 2025.

Fitzpatrick launched BreachForums in March 2022 to replace RaidForums, a similarly popular crime forum that was infiltrated and shut down by the FBI the previous month. As administrator, his alter ego Pompompurin served as the middleman, personally reviewing all databases for sale on the forum and offering an escrow service to those interested in buying stolen data.

The new site quickly attracted more than 300,000 users, and facilitated the sale of databases stolen from hundreds of hacking victims, including some of the largest consumer data breaches in recent history. In May 2024, a reincarnation of Breachforums was seized by the FBI and international partners. Still more relaunches of the forum occurred after that, with the most recent disruption last month.

As KrebsOnSecurity reported last year in The Dark Nexus Between Harm Groups and The Com, it is increasingly common for federal investigators to find CSAM material when searching devices seized from cybercriminal suspects. While the mere possession of CSAM is a serious federal crime, not all of those caught with CSAM are necessarily creators or distributors of it. Fertel said some cybercriminal communities have been known to require new entrants to share CSAM material as a way of proving that they are not a federal investigator.

“If you’re going to the darkest corners of Internet, that’s how you prove you’re not law enforcement,” Fertel said. “Law enforcement would never share that material. It would be criminal for me as a prosecutor, if I obtained and possessed those types of images.”

Further reading: The settlement between Fitzpatrick and Nonstop (PDF).

 

​Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIRIUS 3RK3 Modular Safety System (MSS), SIRIUS Safety Relays 3SK2
Vulnerabilities: Use of a Broken or Risky Cryptographic Algorithm, Missing Encryption of Sensitive Data, Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to retrieve and de-obfuscate safety password, eavesdrop connections, or retrieve sensitive information from certain data records.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:

SIRIUS 3RK3 Modular Safety System (MSS): All versions
SIRIUS Safety Relays 3SK2: All versions

3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327
Affected devices only provide weak password obfuscation. An attacker with network access could retrieve and de-obfuscate the safety password used for protection against inadvertent operating errors.
CVE-2025-24007 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-24007. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
The affected devices do not encrypt data in transit. An attacker with network access could eavesdrop the connection and retrieve sensitive information, including obfuscated safety passwords.
CVE-2025-24008 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-24008. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732
The affected devices do not require authentication to access critical resources. An attacker with network access could retrieve sensitive information from certain data records, including obfuscated safety passwords.
CVE-2025-24009 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-24009. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Nikolai Puch, Johanna Latzel, and Ferdinand Jarisch from Fraunhofer AISEC reported these vulnerabilities to Siemens.
4. MITIGATIONS
Siemens is preparing fixed versions and recommends countermeasures for products where fixes are not, or not yet available:

SIRIUS 3RK3 Modular Safety System (MSS): Currently no fix is planned.
SIRIUS Safety Relays 3SK2: Currently no fix is available.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Limit physical access to affected devices to trusted personnel.
Ensure network isolation of the PROFINET interface to prevent access from unauthorized systems.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-222768 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens ProductCERT SSA-222768 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIRIUS 3RK3 Modular Safety System (MSS), SIRIUS Safety Relays 3SK2
• Vulnerabilities: Use of a Broken or Risky Cryptographic Algorithm, Missing Encryption of Sensitive Data, Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to retrieve and de-obfuscate safety password, eavesdrop connections, or retrieve sensitive information from certain data records.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SIRIUS 3RK3 Modular Safety System (MSS): All versions
• SIRIUS Safety Relays 3SK2: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327

Affected devices only provide weak password obfuscation. An attacker with network access could retrieve and de-obfuscate the safety password used for protection against inadvertent operating errors.

CVE-2025-24007 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24007. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

The affected devices do not encrypt data in transit. An attacker with network access could eavesdrop the connection and retrieve sensitive information, including obfuscated safety passwords.

CVE-2025-24008 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24008. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

The affected devices do not require authentication to access critical resources. An attacker with network access could retrieve sensitive information from certain data records, including obfuscated safety passwords.

CVE-2025-24009 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24009. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Nikolai Puch, Johanna Latzel, and Ferdinand Jarisch from Fraunhofer AISEC reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens is preparing fixed versions and recommends countermeasures for products where fixes are not, or not yet available:

• SIRIUS 3RK3 Modular Safety System (MSS): Currently no fix is planned.
• SIRIUS Safety Relays 3SK2: Currently no fix is available.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Limit physical access to affected devices to trusted personnel.
• Ensure network isolation of the PROFINET interface to prevent access from unauthorized systems.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-222768 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• May 15, 2025: Initial Republication of Siemens ProductCERT SSA-222768

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 2.1
ATTENTION: Exploitable remotely
Vendor: Siemens
Equipment: Mendix OIDC SSO
Vulnerability: Incorrect Privilege Assignment

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to modify the system and gain administrator read/write privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports the following products are affected:

Siemens Mendix OIDC SSO (Mendix 9 compatible): All versions
Siemens Mendix OIDC SSO (Mendix 10 compatible): All versions before V4.0.0

3.2 VULNERABILITY OVERVIEW
3.2.1 INCORRECT PRIVILEGE ASSIGNMENT CWE-266
The Mendix OIDC SSO module grants read and write access to all tokens exclusively to the Administrator role, which could result in privilege misuse by an adversary modifying the module during Mendix development.
CVE-2025-40571 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-40571. A base score of 2.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Financial Services, Healthcare and Public Health, Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens ProductCERT reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

All affected products: The default configuration of the OIDC.Token entity is set to restrict read/write access only to the administrator role. If this setting is not restrictive enough, the option arises to change the access rule of the specific entity, or to create a different user role to handle different administrative tasks.
Mendix OIDC SSO (Mendix 9 compatible): Currently no fix is available.
Mendix OIDC SSO (Mendix 10 compatible): Update to V4.0.0 or a later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-726617 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.
5. UPDATE HISTORY
May 15, 2025: Initial Republication of Siemens ProductCERT SSA-726617 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 2.1
• ATTENTION: Exploitable remotely
• Vendor: Siemens
• Equipment: Mendix OIDC SSO
• Vulnerability: Incorrect Privilege Assignment

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to modify the system and gain administrator read/write privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

• Siemens Mendix OIDC SSO (Mendix 9 compatible): All versions
• Siemens Mendix OIDC SSO (Mendix 10 compatible): All versions before V4.0.0

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT PRIVILEGE ASSIGNMENT CWE-266

The Mendix OIDC SSO module grants read and write access to all tokens exclusively to the Administrator role, which could result in privilege misuse by an adversary modifying the module during Mendix development.

CVE-2025-40571 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40571. A base score of 2.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Financial Services, Healthcare and Public Health, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• All affected products: The default configuration of the OIDC.Token entity is set to restrict read/write access only to the administrator role. If this setting is not restrictive enough, the option arises to change the access rule of the specific entity, or to create a different user role to handle different administrative tasks.
• Mendix OIDC SSO (Mendix 9 compatible): Currently no fix is available.
• Mendix OIDC SSO (Mendix 10 compatible): Update to V4.0.0 or a later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-726617 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens ProductCERT SSA-726617

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable from adjacent network/low attack complexity
Vendor: Siemens
Equipment: VersiCharge AC Series EV Chargers
Vulnerabilities: Missing Immutable Root of Trust in Hardware, Initialization of a Resource with an Insecure Default

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain control of the chargers through default Modbus port or execute arbitrary code by manipulating the M0 firmware.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:

Siemens IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0): All versions (CVE-2025-31929)
Siemens IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2): All versions (CVE-2025-31929)
Siemens IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1): All versions (CVE-2025-31929)
Siemens IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2): All versions (CVE-2025-31929)
Siemens IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0): All versions (CVE-2025-31929)
Siemens IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0): All versions (CVE-2025-31929)
Siemens IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0): All versions (CVE-2025-31929)
Siemens IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1): All versions (CVE-2025-31929)
Siemens IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2): All versions (CVE-2025-31929)
Siemens IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1): All versions (CVE-2025-31929)
Siemens IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2): All versions (CVE-2025-31929)
Siemens IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0): All versions (CVE-2025-31929)
Siemens IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1): All versions (CVE-2025-31929)
Siemens IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2): All versions (CVE-2025-31929)
Siemens IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0): All versions (CVE-2025-31929)
Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1): All versions (CVE-2025-31929)
Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2): All versions (CVE-2025-31929)
Siemens IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0): All versions (CVE-2025-31929)
Siemens IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1): All versions (CVE-2025-31929)
Siemens IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2): All versions (CVE-2025-31929)
Siemens IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2): All versions (CVE-2025-31929)
Siemens UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0): All versions (CVE-2025-31929)
Siemens IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1): All versions (CVE-2025-31929)
Siemens UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0): All versions (CVE-2025-31929)
Siemens UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0): All versions (CVE-2025-31929)
Siemens UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2): All versions (CVE-2025-31929)
Siemens UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2): All versions (CVE-2025-31929)
Siemens UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2): All versions (CVE-2025-31929)
Siemens IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2): All versions (CVE-2025-31929)
Siemens UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2): All versions (CVE-2025-31929)
Siemens UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1): All versions (CVE-2025-31929)
Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2): All versions (CVE-2025-31929)
Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2): All versions (CVE-2025-31929)
Siemens IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2): All versions (CVE-2025-31929)
Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens UL Resi High End 40A w/15118 Hw (8EM1312-4CF18-0FA3): All versions (CVE-2025-31929)
Siemens UL Resi High End 48A w/15118 Hw (8EM1312-5CF18-0FA3): All versions (CVE-2025-31929)
Siemens VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): All versions (CVE-2025-31929)
Siemens VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
Siemens IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1): All versions (CVE-2025-31929)

3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING IMMUTABLE ROOT OF TRUST IN HARDWARE CWE-1326
The affected devices do not contain an Immutable Root of Trust in the M0 Hardware. An attacker with physical access to the device could use this to execute arbitrary code.
CVE-2025-31929 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-31929. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.2 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188
The affected devices contain the Modbus service enabled by default. This could allow an attacker connected to the same network to remotely control the EV charger.
CVE-2025-31930 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-31930. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

(CVE-2025-31929) IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0), IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0), IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1), IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2), IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1), IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2), IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1), IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2), IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0), IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0), IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0), IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1), IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2), IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1), IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2), IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1), IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2), IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0), IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1), IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2), UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2), UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0), UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0), UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0), UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2), UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2), UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2), UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2), UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1), UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2), UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2), UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2), UL Resi High End 40A w/15118 Hw (8EM1312-4CF18-0FA3), UL Resi High End 48A w/15118 Hw (8EM1312-5CF18-0FA3), VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): Currently no fix is planned
(CVE-2025-31930) IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0), IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0), IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1), IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2), IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1), IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2), IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1), IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2), IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0), IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0), IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0), IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1), IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2), IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1), IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2), IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1), IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2), IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0), IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1), IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2), UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2), UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0), UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0), UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0), UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2), UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2), UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2), UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2), UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1), UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2), UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2), UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2), VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): Update to V2.135 or later version. The latest version will be pushed to the device OTA if the charger is completely commissioned and connected to Siemens Device Management. Contact Siemens Customer Service for further assistance or troubleshooting.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-556937 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY
May 15, 2025: Initial Republication of Siemens Advisory SSA-556937 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable from adjacent network/low attack complexity
• Vendor: Siemens
• Equipment: VersiCharge AC Series EV Chargers
• Vulnerabilities: Missing Immutable Root of Trust in Hardware, Initialization of a Resource with an Insecure Default

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain control of the chargers through default Modbus port or execute arbitrary code by manipulating the M0 firmware.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2): All versions (CVE-2025-31929)
• Siemens IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1): All versions (CVE-2025-31929)
• Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0): All versions (CVE-2025-31929)
• Siemens IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1): All versions (CVE-2025-31929)
• Siemens IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2): All versions (CVE-2025-31929)
• Siemens IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1): All versions (CVE-2025-31929)
• Siemens UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0): All versions (CVE-2025-31929)
• Siemens UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0): All versions (CVE-2025-31929)
• Siemens UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2): All versions (CVE-2025-31929)
• Siemens IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2): All versions (CVE-2025-31929)
• Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens UL Resi High End 40A w/15118 Hw (8EM1312-4CF18-0FA3): All versions (CVE-2025-31929)
• Siemens UL Resi High End 48A w/15118 Hw (8EM1312-5CF18-0FA3): All versions (CVE-2025-31929)
• Siemens VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): All versions (CVE-2025-31929)
• Siemens VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
• Siemens IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1): All versions (CVE-2025-31929)

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING IMMUTABLE ROOT OF TRUST IN HARDWARE CWE-1326

The affected devices do not contain an Immutable Root of Trust in the M0 Hardware. An attacker with physical access to the device could use this to execute arbitrary code.

CVE-2025-31929 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31929. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188

The affected devices contain the Modbus service enabled by default. This could allow an attacker connected to the same network to remotely control the EV charger.

CVE-2025-31930 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-31930. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• (CVE-2025-31929) IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0), IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0), IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1), IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2), IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1), IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2), IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1), IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2), IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0), IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0), IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0), IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1), IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2), IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1), IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2), IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1), IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2), IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0), IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1), IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2), UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2), UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0), UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0), UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0), UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2), UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2), UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2), UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2), UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1), UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2), UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2), UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2), UL Resi High End 40A w/15118 Hw (8EM1312-4CF18-0FA3), UL Resi High End 48A w/15118 Hw (8EM1312-5CF18-0FA3), VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): Currently no fix is planned
• (CVE-2025-31930) IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0), IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0), IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1), IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2), IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1), IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2), IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1), IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2), IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0), IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0), IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0), IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1), IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2), IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1), IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2), IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1), IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2), IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0), IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1), IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2), UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2), UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0), UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0), UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0), UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2), UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2), UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2), UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2), UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1), UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2), UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2), UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2), VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): Update to V2.135 or later version. The latest version will be pushed to the device OTA if the charger is completely commissioned and connected to Siemens Device Management. Contact Siemens Customer Service for further assistance or troubleshooting.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-556937 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens Advisory SSA-556937

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: IPC RS-828A
Vulnerability: Authentication Bypass by Spoofing

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access and compromise confidentiality, integrity and availability of the BMC and thus the entire system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports the following rugged industrial PCs are affected:

SIMATIC IPC RS-828A: All versions

3.2 VULNERABILITY OVERVIEW
3.2.1 AUTHENTICATION BYPASS BY SPOOFING CWE-290
AMI’s SPx contains a vulnerability in the BMC where an attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.
CVE-2024-54085 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-54085. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available. Ensure access to the BMC network interface (X1P1) is limited to trusted networks only.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-446307 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens SSA-446307 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 10.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: IPC RS-828A
• Vulnerability: Authentication Bypass by Spoofing

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access and compromise confidentiality, integrity and availability of the BMC and thus the entire system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following rugged industrial PCs are affected:

• SIMATIC IPC RS-828A: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 AUTHENTICATION BYPASS BY SPOOFING CWE-290

AMI’s SPx contains a vulnerability in the BMC where an attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.

CVE-2024-54085 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-54085. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available. Ensure access to the BMC network interface (X1P1) is limited to trusted networks only.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-446307 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• May 15, 2025: Initial Republication of Siemens SSA-446307

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: ECOVACS
Equipment: DEEBOT Vacuum and Base Station
Vulnerabilities: Use of Hard-coded Cryptographic Key, Download of Code Without Integrity Check

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to send malicious updates to the devices or execute code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ECOVACS reports the following DEEBOT vacuum and base station devices are affected:

X1S PRO: Versions prior to 2.5.38
X1 PRO OMNI: Versions prior to 2.5.38
X1 OMNI: Versions prior to 2.4.45
X1 TURBO: Versions prior to 2.4.45
T10 Series: Versions prior to 1.11.0
T20 Series: Versions prior to 1.25.0
T30 Series: Versions prior to 1.100.0

3.2 VULNERABILITY OVERVIEW
3.2.1 Use of Hard-coded Cryptographic Key CWE-321
ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK. The key can be easily derived from the device serial number.
CVE-2025-30198 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-30198. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).
3.2.2 Download of Code Without Integrity Check CWE-494
ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station.
CVE-2025-30199 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-30199. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 Use of Hard-coded Cryptographic Key CWE-321
ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived from the device serial number.
CVE-2025-30200 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-30200. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER
Dennis Giese, Braelynn Luedtke, and Chris Anderson reported these vulnerabilities to ECOVACS.
4. MITIGATIONS
ECOVACS has released software updates for the X1S PRO and X1 PRO OMNI. The remaining affected products will have updates available by May 31, 2025. Devices that support automatic updates will receive system update notifications. ECOVACS has proactively pushed the update to users, ensuring all users will be covered by May 31st. Users can complete the fix by performing the system update.
For more information, see ECOVACS security advisory.
Users can contact ECOVACS using information provided on their website.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

May 15, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.6
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: ECOVACS
• Equipment: DEEBOT Vacuum and Base Station
• Vulnerabilities: Use of Hard-coded Cryptographic Key, Download of Code Without Integrity Check

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to send malicious updates to the devices or execute code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ECOVACS reports the following DEEBOT vacuum and base station devices are affected:

• X1S PRO: Versions prior to 2.5.38
• X1 PRO OMNI: Versions prior to 2.5.38
• X1 OMNI: Versions prior to 2.4.45
• X1 TURBO: Versions prior to 2.4.45
• T10 Series: Versions prior to 1.11.0
• T20 Series: Versions prior to 1.25.0
• T30 Series: Versions prior to 1.100.0

3.2 VULNERABILITY OVERVIEW

3.2.1 Use of Hard-coded Cryptographic Key CWE-321

ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK. The key can be easily derived from the device serial number.

CVE-2025-30198 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-30198. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.2 Download of Code Without Integrity Check CWE-494

ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station.

CVE-2025-30199 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30199. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Use of Hard-coded Cryptographic Key CWE-321

ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived from the device serial number.

CVE-2025-30200 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-30200. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Dennis Giese, Braelynn Luedtke, and Chris Anderson reported these vulnerabilities to ECOVACS.

4. MITIGATIONS

ECOVACS has released software updates for the X1S PRO and X1 PRO OMNI. The remaining affected products will have updates available by May 31, 2025. Devices that support automatic updates will receive system update notifications. ECOVACS has proactively pushed the update to users, ensuring all users will be covered by May 31st. Users can complete the fix by performing the system update.

For more information, see ECOVACS security advisory.

Users can contact ECOVACS using information provided on their website.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• May 15, 2025: Initial Publication

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: RUGGEDCOM ROX II
Vulnerabilities: Client-Side Enforcement of Server-Side Security

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker with a legitimate, highly privileged account on the web interface to get privileged code execution in the underlying OS of the affected products.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:

RUGGEDCOM ROX MX5000: Versions prior to V2.16.5
RUGGEDCOM ROX RX1536: Versions prior to V2.16.5
RUGGEDCOM ROX RX5000: Versions prior to V2.16.5
RUGGEDCOM ROX MX5000RE: Versions prior to V2.16.5
RUGGEDCOM ROX RX1400: Versions prior to V2.16.5
RUGGEDCOM ROX RX1500: Versions prior to V2.16.5
RUGGEDCOM ROX RX1501: Versions prior to V2.16.5
RUGGEDCOM ROX RX1510: Versions prior to V2.16.5
RUGGEDCOM ROX RX1511: Versions prior to V2.16.5
RUGGEDCOM ROX RX1512: Versions prior to V2.16.5
RUGGEDCOM ROX RX1524: Versions prior to V2.16.5

3.2 VULNERABILITY OVERVIEW
3.2.1 CLIENT-SIDE ENFORCEMENT OF SERVER-SIDE SECURITY CWE-602
The ‘ping’ tool in the web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.
CVE-2025-32469 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-32469. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.2 CLIENT-SIDE ENFORCEMENT OF SERVER-SIDE SECURITY CWE-602
The ‘tcpdump’ tool in the web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.
CVE-2025-33024 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-33024. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.3 CLIENT-SIDE ENFORCEMENT OF SERVER-SIDE SECURITY CWE-602
The ‘traceroute’ tool in the web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.
CVE-2025-33025 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-33025. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

All affected products: Update to V2.16.5 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-301229 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens SSA-301229 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: RUGGEDCOM ROX II
• Vulnerabilities: Client-Side Enforcement of Server-Side Security

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker with a legitimate, highly privileged account on the web interface to get privileged code execution in the underlying OS of the affected products.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• RUGGEDCOM ROX MX5000: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1536: Versions prior to V2.16.5
• RUGGEDCOM ROX RX5000: Versions prior to V2.16.5
• RUGGEDCOM ROX MX5000RE: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1400: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1500: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1501: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1510: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1511: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1512: Versions prior to V2.16.5
• RUGGEDCOM ROX RX1524: Versions prior to V2.16.5

3.2 VULNERABILITY OVERVIEW

3.2.1 CLIENT-SIDE ENFORCEMENT OF SERVER-SIDE SECURITY CWE-602

The ‘ping’ tool in the web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.

CVE-2025-32469 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-32469. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 CLIENT-SIDE ENFORCEMENT OF SERVER-SIDE SECURITY CWE-602

The ‘tcpdump’ tool in the web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.

CVE-2025-33024 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-33024. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 CLIENT-SIDE ENFORCEMENT OF SERVER-SIDE SECURITY CWE-602

The ‘traceroute’ tool in the web interface of affected devices is vulnerable to command injection due to missing server side input sanitation. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.

CVE-2025-33025 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-33025. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• All affected products: Update to V2.16.5 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-301229 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• May 15, 2025: Initial Republication of Siemens SSA-301229

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Polarion
Vulnerabilities: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’), Improper Restriction of XML External Entity Reference, Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Observable Response Discrepancy

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow attackers to extract data, conduct cross-site scripting attacks or find out valid usernames.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:

Polarion V2310: All versions
Polarion V2404: Versions prior to V2404.4 (CVE-2024-51444, CVE-2024-51445, CVE-2024-51446)
Polarion V2404: Versions prior to V2404.2 (CVE-2024-51447)

3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89
The application insufficiently validates user input for database read queries. This could allow an authenticated remote attacker to conduct an SQL injection attack that bypasses authorization controls and allows to download any data from the application’s database.
CVE-2024-51444 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-51444. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611
The affected application contains a XML External Entity Injection (XXE) vulnerability in the docx import feature. This could allow an authenticated remote attacker to read arbitrary data from the application server.
CVE-2024-51445 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-51445. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
The file upload feature of the affected application improperly sanitizes xml files. This could allow an authenticated remote attacker to conduct a stored cross-site scripting attack by uploading specially crafted xml files that are later downloaded and viewed by other users of the application.
CVE-2024-51446 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2024-51446. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L).
3.2.4 OBSERVABLE RESPONSE DISCREPANCY CWE-204
The login implementation of the affected application contains an observable response discrepancy vulnerability when validating usernames. This could allow an unauthenticated remote attacker to distinguish between valid and invalid usernames.
CVE-2024-51447 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-51447. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Thales Digital Factory reported these vulnerabilities to Siemens.Luis Manuel Alvarez Tapia from BorgWarner Luxembourg Automotive Systems SARL for reported CVE-2024-51444 to Siemens.Siemens ProductCERT reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Polarion V2404 (CVE-2024-51444, CVE-2024-51445, CVE-2024-51446): Update to V2404.4 or later version
Polarion V2404 (CVE-2024-51447): Update to V2404.2 or later version
Polarion V2310: Currently no fix is planned

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-162255 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens SSA-162255 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: Polarion
• Vulnerabilities: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’), Improper Restriction of XML External Entity Reference, Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Observable Response Discrepancy

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow attackers to extract data, conduct cross-site scripting attacks or find out valid usernames.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Polarion V2310: All versions
• Polarion V2404: Versions prior to V2404.4 (CVE-2024-51444, CVE-2024-51445, CVE-2024-51446)
• Polarion V2404: Versions prior to V2404.2 (CVE-2024-51447)

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89

The application insufficiently validates user input for database read queries. This could allow an authenticated remote attacker to conduct an SQL injection attack that bypasses authorization controls and allows to download any data from the application’s database.

CVE-2024-51444 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-51444. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

The affected application contains a XML External Entity Injection (XXE) vulnerability in the docx import feature. This could allow an authenticated remote attacker to read arbitrary data from the application server.

CVE-2024-51445 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-51445. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

The file upload feature of the affected application improperly sanitizes xml files. This could allow an authenticated remote attacker to conduct a stored cross-site scripting attack by uploading specially crafted xml files that are later downloaded and viewed by other users of the application.

CVE-2024-51446 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-51446. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L).

3.2.4 OBSERVABLE RESPONSE DISCREPANCY CWE-204

The login implementation of the affected application contains an observable response discrepancy vulnerability when validating usernames. This could allow an unauthenticated remote attacker to distinguish between valid and invalid usernames.

CVE-2024-51447 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-51447. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Thales Digital Factory reported these vulnerabilities to Siemens.
Luis Manuel Alvarez Tapia from BorgWarner Luxembourg Automotive Systems SARL for reported CVE-2024-51444 to Siemens.
Siemens ProductCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Polarion V2404 (CVE-2024-51444, CVE-2024-51445, CVE-2024-51446): Update to V2404.4 or later version
• Polarion V2404 (CVE-2024-51447): Update to V2404.2 or later version
• Polarion V2310: Currently no fix is planned

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-162255 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• May 15, 2025: Initial Republication of Siemens SSA-162255

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 5.3
ATTENTION: Exploitable from adjacent network/low attack complexity
Vendor: Siemens
Equipment: APOGEE PXC and TALON TC Series
Vulnerability: Expected Behavior Violation

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to cause a partial denial of service and reduce network availability.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports the following products are affected:

Siemens APOGEE PXC+TALON TC Series: All versions

3.2 VULNERABILITY OVERVIEW
3.2.1 EXPECTED BEHAVIOR VIOLATION CWE-440
The affected devices start sending unsolicited BACnet broadcast messages after processing a specific BACnet createObject request. This could allow an attacker residing in the same BACnet network to send a specially crafted message that results in a partial denial of service condition of the targeted device, and potentially reduce the availability of BACnet network. A power cycle is required to restore the device’s normal operation.
CVE-2025-40555 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2025-40555. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Government Facilities, Healthcare and Public Health, Information Technology, Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens ProductCERT reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

APOGEE PXC+TALON TC Series (BACnet): Currently no fix is planned

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-718393 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
May 15, 2025: Initial Republication of Siemens ProductCERT SSA-718393 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 5.3
• ATTENTION: Exploitable from adjacent network/low attack complexity
• Vendor: Siemens
• Equipment: APOGEE PXC and TALON TC Series
• Vulnerability: Expected Behavior Violation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a partial denial of service and reduce network availability.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

• Siemens APOGEE PXC+TALON TC Series: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 EXPECTED BEHAVIOR VIOLATION CWE-440

The affected devices start sending unsolicited BACnet broadcast messages after processing a specific BACnet createObject request. This could allow an attacker residing in the same BACnet network to send a specially crafted message that results in a partial denial of service condition of the targeted device, and potentially reduce the availability of BACnet network. A power cycle is required to restore the device’s normal operation.

CVE-2025-40555 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-40555. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Government Facilities, Healthcare and Public Health, Information Technology, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• APOGEE PXC+TALON TC Series (BACnet): Currently no fix is planned

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-718393 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens ProductCERT SSA-718393

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SIMATIC PCS neo
Vulnerability: Insufficient Session Expiration

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user’s session even after logout.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:

SIMATIC PCS neo V4.1: All versions prior to V4.1 Update 3
SIMATIC PCS neo V5.0: All versions prior to V5.0 Update 1

3.2 VULNERABILITY OVERVIEW
3.2.1 INSUFFICIENT SESSION EXPIRATION CWE-613
Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user’s session even after logout.
CVE-2025-40566 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-40566. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has released new versions for the affected products and recommends updating to the latest versions:

SIMATIC PCS neo V4.1: Update to V4.1 Update 3 or later version.
SIMATIC PCS neo V5.0: Update to V5.0 Update 1 or later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-339086 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens ProductCERT SSA-339086 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIMATIC PCS neo
• Vulnerability: Insufficient Session Expiration

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user’s session even after logout.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SIMATIC PCS neo V4.1: All versions prior to V4.1 Update 3
• SIMATIC PCS neo V5.0: All versions prior to V5.0 Update 1

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT SESSION EXPIRATION CWE-613

Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user’s session even after logout.

CVE-2025-40566 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40566. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released new versions for the affected products and recommends updating to the latest versions:

• SIMATIC PCS neo V4.1: Update to V4.1 Update 3 or later version.
• SIMATIC PCS neo V5.0: Update to V5.0 Update 1 or later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-339086 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• May 15, 2025: Initial Republication of Siemens ProductCERT SSA-339086

 Read More