Full Report
Energy Services from Siemens (previously known as Managed Applications and Services), sell solutions using Elspec G5 Digital Fault Recorder which contains default credentials with admin privileges. A client configuration with remote access could allow an attacker to gain remote control of the G5DFR component and tamper outputs from the device.
Analysis Summary
# Vulnerability: Default Credentials in Siemens G5DFR Component
## CVE Details
- CVE ID: CVE-2025-40585
- CVSS Score: 9.9 (Critical for CVSS 3.1) / 9.5 (Critical for CVSS 4.0)
- CWE: CWE-276: Incorrect Default Permissions
## Affected Systems
- Products: Energy Services (from Siemens, previously Managed Applications and Services) utilizing the Elspec G5 Digital Fault Recorder (G5DFR) component.
- Versions: All versions containing the G5DFR affected by CVE-2025-40585.
- Configurations: Requires a client configuration with network remote access to the device.
## Vulnerability Description
The vulnerability stems from the presence of hardcoded default credentials with administrative privileges within the Elspec G5DFR component sold via Siemens Energy Services solutions. An external attacker who can achieve remote network access to the device could leverage these default credentials to gain unauthorized remote control over the G5DFR component. This control allows the attacker to tamper with the outputs generated by the device.
**CVSS 3.1 Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
## Exploitation
- Status: Not explicitly stated as exploited in the wild; however, the vulnerability is highly exploitable given the default credentials and network vector.
- Complexity: Low (AV:N/AC:L/PR:N)
- Attack Vector: Network
## Impact
- Confidentiality: Low (C:L)
- Integrity: High (I:H) - Ability to tamper with critical device outputs.
- Availability: Low (A:L)
## Remediation
### Patches
No specific patch version is listed in the provided summary. Remediation involves:
- Use the G5DFR web interface to **change the default usernames, passwords, and permission levels.**
- **Contact customer support for further assistance.**
### Workarounds
- Follow the provided General Security Recommendations, which include:
1. Checking for appropriate multi-level redundant secondary protection schemes (as per critical infrastructure regulations).
2. Applying security updates (when available/provided) using corresponding tooling and documented procedures.
3. Validating security updates prior to deployment.
4. Protecting network access using appropriate mechanisms like firewalls, segmentation, or VPNs.
5. Configuring the environment according to operational guidelines to run devices in a protected IT environment.
## Detection
- Indicators of Compromise: Unauthorized configuration changes within the G5DFR component, unexplained changes to device outputs, or successful logins using default credentials.
- Detection Methods and Tools: Network monitoring for anomalous remote login attempts to the G5DFR interface, configuration audits, and network segmentation enforcement to prevent unauthorized remote access.
## References
- Vendor Advisories: SSA-345750 (Siemens Security Advisory)
- Relevant Links:
- hxxps://cert-portal.siemens.com/productcert/html/ssa-345750.html