Full Report
SCALANCE LPE9403 is affected by multiple vulnerabilities which lead to a compromise in availability, integrity and confidentiality. Siemens has released a new version for SCALANCE LPE9403 and recommends to update to the latest version. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SCALANCE LPE9403 Leading to Integrity, Confidentiality, and Availability Compromise
## CVE Details
The advisory covers multiple CVEs. Notable examples detailed below:
- CVE ID: CVE-2025-40572, CVE-2025-40573, CVE-2025-40574, CVE-2025-40575, CVE-2025-40576, CVE-2025-40577, CVE-2025-40579, CVE-2025-40580 (Patched in V4.0 HF0)
- CVE ID: CVE-2025-40578 (No fix available yet)
- CVE ID: CVE-2025-40581, CVE-2025-40582, CVE-2025-40583 (No fix available yet, specific to SINEMA Remote Connect Edge Client)
- CVSS Score (Example Max): 8.5 (High) - Based on CVE-2025-40582 (CVSS v4.0)
- CWE: Includes CWE-78 (OS Command Injection), CWE-288 (Authentication Bypass), CWE-319 (Cleartext Transmission)
## Affected Systems
- Products: SCALANCE LPE9403 (6GK5998-3GS00-2AC2)
- Versions:
- All versions < V4.0 HF0 (for CVE-2025-40572 through CVE-2025-40580, excluding two)
- All versions (for CVE-2025-40578)
- All versions with SINEMA Remote Connect Edge Client installed (for CVE-2025-40581, CVE-2025-40582, CVE-2025-40583)
- Configurations: Specific vulnerabilities are linked to the presence of the SINEMA Remote Connect Edge Client module.
## Vulnerability Description
The advisory addresses a collection of flaws within the SCALANCE LPE9403 device, impacting its security posture across availability, integrity, and confidentiality. Specific technical details include:
1. **CVE-2025-40582 (OS Command Injection):** Affected devices fail to properly sanitize configuration parameters, allowing a non-privileged local attacker to potentially execute root commands on the device. (CVSS v4.0: 8.5/High)
2. **CVE-2025-40581 (Authentication Bypass):** Allows a non-privileged local attacker to bypass authentication for the SINEMA Remote Connect Edge Client, enabling reading and modification of configuration parameters. (CVSS v4.0: 8.4/High)
3. **CVE-2025-40583 (Cleartext Transmission):** Allows a privileged local attacker to retrieve sensitive information transmitted in cleartext. (CVSS v4.0: 6.7/Medium)
## Exploitation
- Status: Specific exploitation status (In the wild/PoC) is not explicitly stated for the collective set, but multiple vulnerabilities involve local access, suggesting exploit payloads may exist.
- Complexity: Varies by CVE, but several (e.g., CVE-2025-40581, CVE-2025-40582) require **Local** access with **Low** complexity for an unprivileged user.
- Attack Vector: Primarily **Local** for the most severe flaws detailed (OS Command Injection, Auth Bypass).
## Impact
- Confidentiality: High (CWE-319, Auth Bypass leading to config reading)
- Integrity: High (OS Command Injection allowing root command execution)
- Availability: High (Implied by general description and impact of command execution)
## Remediation
### Patches
- **For CVE-2025-40572, -40573, -40574, -40575, -40576, -40577, -40579, -40580:** Update to **V4.0 HF0 or later version**.
- **For CVE-2025-40578, -40581, -40582, -40583:** Currently, **no fix is available**. Siemens is preparing further fix versions.
### Workarounds
- **For CVE-2025-40572, -40573, -40574, -40579, -40580, -40581, -40582, -40583:** Restrict access to **authorized and trusted personnel only**.
- **For CVE-2025-40575, -40576, -40577, -40578:** **Disable the Profinet Discovery and Configuration Protocol (DCP) service**.
- **For CVE-2025-40582:** Only use **trusted SINEMA Remote Connect Servers**.
## Detection
- Detection methods are not explicitly detailed regarding IOCs, but overall mitigation relies on adherence to **General Security Recommendations** provided by Siemens, including protecting network access and configuring the environment per operational guidelines.
## References
- Vendor Advisories: SSA-327438
- Additional Information Link (General Security Guidelines): hxxps://www.siemens.com/cert/operational-guidelines-industrial-security
- Siemens ProductCERT Advisories Index: hxxps://www.siemens.com/cert/advisories