Full Report
SCALANCE LPE9403 is affected by multiple vulnerabilities that could allow an attacker to impact its confidentiality, integrity and availability. Siemens has released a new version for SCALANCE LPE9403 and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SCALANCE LPE9403
## CVE Details
This advisory covers seven distinct vulnerabilities:
* **CVE-2025-27396**: CVSS 8.8 (High) | CWE-273: Improper Check for Dropped Privileges
* **CVE-2025-27392**: CVSS 7.2 (High) | CWE-78: OS Command Injection (VXLAN config)
* **CVE-2025-27393**: CVSS 7.2 (High) | CWE-78: OS Command Injection (User creation)
* **CVE-2025-27394**: CVSS 7.2 (High) | CWE-78: OS Command Injection (SNMP user creation)
* **CVE-2025-27395**: CVSS 7.2 (High) | CWE-22: Path Traversal (SFTP)
* **CVE-2025-27397**: CVSS 3.8 (Low) | CWE-22: Path Traversal (Log paths)
* **CVE-2025-27398**: CVSS 2.7 (Low) | CWE-78: OS Command Injection (Log paths)
## Affected Systems
* **Products:** SCALANCE LPE9403 (Local Processing Engine)
* **Versions:** All versions prior to V4.0
* **Configurations:** Default configurations are affected; specific features (VXLAN, SNMP, SFTP, Logging) provide the attack surfaces.
## Vulnerability Description
The SCALANCE LPE9403 is susceptible to several security flaws primarily centered around improper input validation and privilege management:
* **Command Injection:** Multiple interfaces (VXLAN setup, User management, SNMP, and Logging) fail to sanitize user input, allowing attackers to execute arbitrary OS commands or binaries.
* **Path Traversal:** The SFTP implementation and logging functions do not restricted file access to intended directories, allowing unauthorized read/write access to the filesystem.
* **Privilege Escalation:** A flaw in how the device handles privilege drops allows a low-privileged user to elevate their permissions to a higher level.
## Exploitation
* **Status:** PoC available (indicated by CVSS "Exploit Code Maturity" of Functional/Proven in the provided vectors). No confirmed reports of exploitation in the wild at this time.
* **Complexity:** Low (Most vulnerabilities require no special conditions).
* **Attack Vector:** Network (All vulnerabilities are exploitable remotely).
## Impact
* **Confidentiality:** High (Full access to system data and files via path traversal and command execution).
* **Integrity:** High (Ability to modify system configurations, create users, and write arbitrary files).
* **Availability:** High (Potential for complete system takeover or service disruption).
## Remediation
### Patches
* **Update to V4.0 or later:** Siemens has released a firmware update to address these flaws. The update can be found at the Siemens Industry Online Support portal:
* [https://support.industry.siemens.com/cs/ww/en/view/109976925/](https://support.industry.siemens.com/cs/ww/en/view/109976925/)
### Workarounds
* **Network Perimeter Defense:** Protect network access to the device using firewalls and segmenting the device within a protected IT/OT environment.
* **Operational Guidelines:** Follow Siemens' industrial security operational guidelines to mitigate risk in environments where immediate patching is not possible.
## Detection
* **Indicators of Compromise:** Monitor for unusual user creation events, unexpected VXLAN configuration changes, or unauthorized SFTP file transfers.
* **Detection methods and tools:** Audit system logs for directory traversal patterns (e.g., `../`) or suspicious characters in configuration fields often used for command injection (e.g., `;`, `&`, `|`).
## References
* **Siemens Advisory (SSA-075201):** [https://cert-portal.siemens.com/productcert/pdf/ssa-075201.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-075201.pdf)
* **Siemens Industrial Security:** [https://www.siemens.com/industrialsecurity](https://www.siemens.com/industrialsecurity)
* **Siemens ProductCERT:** [https://www.siemens.com/cert/advisories](https://www.siemens.com/cert/advisories)