Full Report
LOGO! 8 BM (incl. SIPLUS variants) contains multiple vulnerabilities. These could allow an attacker to execute code remotely, put the device into a denial of service state, or change the behavior of the device. Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple Flaws in Siemens LOGO! 8 BM Devices
## CVE Details
- **CVE ID:** CVE-2025-40815, CVE-2025-40816, CVE-2025-40817
- **CVSS Score:** 7.6 (High) / CVSS v4.0: 8.6 (High)
- **CWE:**
- CWE-120: Buffer Copy without Checking Size of Input (Classic Buffer Overflow)
- CWE-306: Missing Authentication for Critical Function
## Affected Systems
- **Products:** LOGO! 8 Base Modules (BM) and SIPLUS variants.
- **Versions:**
- LOGO! V8.4 BM
- LOGO! 12/24RCE (6ED1052-1MD08-0BA2)
- LOGO! 12/24RCEo (6ED1052-2MD08-0BA2)
- LOGO! 230RCE (6ED1052-1FB08-0BA2)
- LOGO! 230RCEo (6ED1052-2FB08-0BA2)
- **Configurations:** All versions of the listed hardware are affected.
## Vulnerability Description
Three distinct security flaws have been identified in the communication handling of LOGO! 8 devices:
1. **CVE-2025-40815:** Improper validation of TCP packet structures. This allows an attacker to trigger a buffer overflow, gain control of the instruction counter, and achieve Remote Code Execution (RCE).
2. **CVE-2025-40816:** Missing authentication for critical functions. An attacker can remotely manipulate the device's IP address, leading to a Denial of Service (DoS) as the device becomes unreachable on the network.
3. **CVE-2025-40817:** Missing authentication for critical functions. An attacker can change the system time, potentially causing logic errors or shifting scheduled operational behaviors.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; no public PoC mentioned.
- **Complexity:** Low
- **Attack Vector:**
- **Network:** (CVE-2025-40815) - Requires high privileges.
- **Adjacent:** (CVE-2025-40816, CVE-2025-40817) - Can be performed by unauthenticated attackers on the same local network segment.
## Impact
- **Confidentiality:** High (CVE-2025-40815)
- **Integrity:** High (CVE-2025-40815, CVE-2025-40817)
- **Availability:** High (CVE-2025-40815, CVE-2025-40816)
## Remediation
### Patches
- **LOGO! V8.4 BM:** Siemens is currently preparing fix versions.
- **Legacy Modules (6ED1052 series):** No fixes are currently planned for CVE-2025-40816 and CVE-2025-40817. Users must rely on mitigations.
### Workarounds
- **Network Segmentation:** Limit access to the devices to trusted users and strictly authorized network segments.
- **Defense in Depth:** Implement the Siemens Industrial Security Cell Protection concept.
- **Firewalling:** Use firewalls to block unauthorized access to the management ports of the PLC.
## Detection
- **Indicators of Compromise:**
- Sudden loss of device connectivity (unexpected IP change).
- Discrepancies between system time and actual time.
- Unexpected device reboots or crashes.
- **Detection methods and tools:** Monitor network traffic for malformed TCP packets directed at LOGO! devices and audit changes to device configurations via industrial network security monitors.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-267056.pdf
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories