Full Report
Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user’s session even after logout. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
As a vulnerability research specialist, here is the summary of the disclosed security advisory:
# Vulnerability: Insufficient Session Invalidation Upon Logout
## CVE Details
- CVE ID: CVE-2025-40566
- CVSS Score: 8.8 (High) [CVSS v3.1] / 8.7 [CVSS v4.0]
- CWE: CWE-613: Insufficient Session Expiration
## Affected Systems
- Products: SIMATIC PCS neo
- Versions:
- SIMATIC PCS neo V4.1 versions prior to Update 3
- SIMATIC PCS neo V5.0 versions prior to Update 1
- Configurations: Not specified, applicable to standard installations.
## Vulnerability Description
The affected products fail to correctly invalidate user sessions upon user logout. This flaw (CWE-613) allows a remote, unauthenticated attacker who has previously obtained a legitimate, active session token (via means external to this specific vulnerability) to successfully reuse that session token after the legitimate user has logged out.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC information is implied to be linked internally via the advisory structure.
- Complexity: Low (CVSS Vector suggests Low Attack Complexity: AC:L)
- Attack Vector: Network (AV:N)
- Impact: High (Requires the attacker to already possess the session token, making the initial entry vector external to the logout flaw itself.)
## Impact
Based on the high CVSS score and implied access:
- Confidentiality: High (If the session grants access to sensitive data)
- Integrity: High (If the session allows modification of system state)
- Availability: High (If the session allows disruptive actions)
## Remediation
### Patches
Users must update to versions that include the session invalidation fix:
- For SIMATIC PCS neo V4.1: Update to **V4.1 Update 3 or later**.
- For SIMATIC PCS neo V5.0: Update to **V5.0 Update 1 or later**.
### Workarounds
Siemens recommends following the **General Security Recommendations** provided in the advisory, which include:
1. Protecting network access to devices using appropriate mechanisms.
2. Configuring the environment according to Siemens' operational guidelines for Industrial Security.
## Detection
- Since the vulnerability relates to un-invalidated tokens, direct detection of the trigger (logout) failure is implementation-specific.
- **Detection methods and tools** should focus on monitoring for **session token reuse** attempts originating from unexpected locations or immediately following user logout events.
## References
- Vendor Advisory: SSA-339086
- Siemens Industrial Security Guidelines: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security
- Siemens ProductCERT Advisories Portal: hxxps://www.siemens.com/cert/advisories