Full Report
Siemens Industrial Edge Devices contain an authorization bypass vulnerability that could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Authorization Bypass in Siemens Industrial Edge Devices
## CVE Details
- **CVE ID:** CVE-2025-40805
- **CVSS Score:** 10.0 (Critical)
- **CVSS Vector (v4.0):** CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
- **CWE:** CWE-639 (Authorization Bypass Through User-Controlled Key)
## Affected Systems
- **Products:**
- Siemens Industrial Edge Devices
- SIMATIC Automation Workstation family (19" and 24")
- SIMATIC HMI Unified Comfort Panels Standard family
- SIMATIC IPC Industrial Edge Devices
- SIMATIC IOT family
- SCALANCE LPE9000 (Local Processing Engine)
- Industrial Edge Virtual Device (IEVD) and Own Device (IEOD)
- **Versions:**
- SIMATIC HMI Unified Comfort Panels: All versions < V21
- SIMATIC Automation Workstation: All versions
- Other Industrial Edge products: Specifically those listed under SSA-001536
- **Configurations:** Vulnerable if specific API endpoints are accessible over the network.
## Vulnerability Description
Affected Siemens devices fail to properly enforce user authentication on specific API endpoints. Because the system does not sufficiently validate the identity of the requester, an unauthenticated attacker can circumvent the authentication mechanism. By providing a user identifier (User-Controlled Key), the attacker can impersonate a legitimate user.
## Exploitation
- **Status:** No reports of exploitation in the wild at the time of publication.
- **Complexity:** Low (Successful exploitation only requires the attacker to know the identity/username of a legitimate user).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to user-accessible data)
- **Integrity:** High (Ability to modify settings or data as the impersonated user)
- **Availability:** High (Potential to disrupt services or device operation)
## Remediation
### Patches
Siemens is progressively releasing updates. The following are currently available:
- **SIMATIC HMI Unified Comfort Panels:** Update to **V21** or later.
- For other products: Consult the Siemens ProductCERT portal for the most recent version releases as they become available.
### Workarounds
- **Network Segmentation:** Ensure that Industrial Edge Devices are not exposed to the internet.
- **Access Control:** Restrict access to the management APIs of these devices to trusted networks and authorized workstations only.
- **Defense in Depth:** Implement the Siemens Industrial Security concept, including firewalls and VPNs to protect industrial networks.
## Detection
- **Indicators of Compromise:** Unusual administrative activity originating from unexpected IP addresses or at irregular times.
- **Detection methods and tools:** Audit system logs for API access patterns and verify if legitimate users are logged in from multiple conflicting locations simultaneously.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-001536[.]html
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories
- **Patch Link (HMI Panels):** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109825605/