Full Report
Siemens SINUMERIK Controllers are affected by an improper VNC password check vulnerability. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Improper VNC Password Check in SINUMERIK Controllers
## CVE Details
- CVE ID: CVE-2025-40743
- CVSS Score: 8.3 (CVSS v3.1) / 8.7 (CVSS v4.0) (High)
- CWE: CWE-288: Authentication Bypass Using an Alternate Path or Channel
## Affected Systems
- Products: Siemens SINUMERIK 828D, SINUMERIK 828D PPU.4, SINUMERIK 828D PPU.5, SINUMERIK 840D sl, SINUMERIK MC, SINUMERIK ONE, SINUMERIK ONE V6.15
- Versions:
- SINUMERIK 828D PPU.4: All versions < V4.95 SP5
- SINUMERIK 828D PPU.5: All versions < V5.25 SP1
- SINUMERIK 840D sl: All versions < V4.95 SP5
- SINUMERIK MC: All versions < V1.25 SP1
- SINUMERIK MC V1.15: All versions < V1.15 SP5
- SINUMERIK ONE: All versions < V6.25 SP1
- SINUMERIK ONE V6.15: All versions < V6.15 SP5
- Configurations: Affects the VNC access service on these controllers.
## Vulnerability Description
The affected VNC access service on SINUMERIK controllers improperly validates authentication. This flaw allows an attacker to bypass necessary password verification checks, potentially gaining unauthorized remote access to the system.
CVSS Vector (v3.1): `CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L` (Attack Vector: Adjacent Network, Low Complexity, No Privileges Required, No User Interaction)
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC availability is implied by the weakness classification (no specific note negating it). Given the CVSS score and nature, treat as potentially exploitable.
- Complexity: Low (AC:L, PR:N, UI:N)
- Attack Vector: Adjacent Network (AV:A)
## Impact
- Confidentiality: High (C:H)
- Integrity: High (I:H)
- Availability: Low (A:L)
## Remediation
### Patches
Customers must update to the following patched versions or later:
- SINUMERIK 828D PPU.4: Update to **V4.95 SP5** or later.
- SINUMERIK 828D PPU.5: Update to **V5.25 SP1** or later.
- SINUMERIK 840D sl: Update to **V4.95 SP5** or later.
- SINUMERIK MC: Update to **V1.25 SP1** or later.
- SINUMERIK MC V1.15: Update to **V1.15 SP5** or later.
- SINUMERIK ONE: Update to **V6.25 SP1** or later.
- SINUMERIK ONE V6.15: Update to **V6.15 SP5** or later.
*Note: Updated software versions must be obtained from Siemens customer support or a local partner.*
### Workarounds
1. Apply Defense-in-Depth strategies.
2. Close the VNC port on X130 via HMI setting.
3. Set a VNC Password on X120 and X130.
4. Change the TCU.ini setting to `"ExternalViewerReqTimeoutMode=0"`.
5. Follow general security recommendations, including protecting network access and adhering to Siemens operational guidelines for Industrial Security.
## Detection
- Indicators of compromise are not explicitly listed, but successful exploitation would likely manifest as unauthorized remote login sessions using the VNC interface.
- Detection methods: Monitor network traffic for connection attempts to the VNC port (typically TCP 5900/5901) originating from unauthorized adjacent network segments. Review system logs for authentication sequence anomalies related to the VNC service.
## References
- Vendor Advisories: SSA-177847 (Siemens ProductCERT)
- Relevant links:
- https://www.siemens.com/cert/operational-guidelines-industrial-security
- https://www.siemens.com/cert/advisories
- https://www.siemens.com/industrialsecurity