Full Report
SIMATIC IPC DiagBase and SIMATIC IPC DiagMonitor contain a weak registry permission vulnerability that could allow an authenticated attacker to perform privilege escalation or bypass security measures. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Weak Registry Permission in SIMATIC IPC DiagBase/DiagMonitor
## CVE Details
- CVE ID: CVE-2025-23403
- CVSS Score: 7.0 (CVSS v3.1) / 7.3 (CVSS v4.0) (High)
- CWE: CWE-732: Incorrect Permission Assignment for Critical Resource
## Affected Systems
- Products: SIMATIC IPC DiagBase, SIMATIC IPC DiagMonitor
- Versions: All versions affected.
- Configurations: Requires an authenticated attacker.
## Vulnerability Description
The affected products incorrectly restrict user permissions for a specific registry key. This flaw allows an authenticated attacker to potentially load vulnerable drivers into the system. Successful exploitation can lead to **privilege escalation** or **bypassing of endpoint protection and other security measures**.
## Exploitation
- Status: PoC available (Implied by CVSS *Environmental* metric E:P/Attack Requirements for PoC, though not explicitly confirmed as in-the-wild).
- Complexity: High (AC:H in CVSS v3.1 vector implies high complexity if exploit relies on specific timing or conditions beyond simple access).
- Attack Vector: Local (AV:L)
## Impact
- Confidentiality: High (H)
- Integrity: High (H)
- Availability: High (H)
## Remediation
### Patches
- **None planned** for SIMATIC IPC DiagBase or SIMATIC IPC DiagMonitor for this specific CVE.
### Workarounds
1. **Modify Registry Permissions:** Remove the user privilege by manually modifying the problematic registry key or by running a provided script. (Refer to FAQ section at hxxps://support.industry.siemens.com/cs/document/109978178 for details).
2. Follow General Security Recommendations provided by Siemens (detailed below).
## Detection
- **Detection Methods:** Monitoring for unauthorized modifications or attempts to write to the specific registry keys associated with SIMATIC IPC DiagBase/DiagMonitor configurations that control driver loading.
- **Indicators of Compromise:** System events indicating successful loading of unauthorized or vulnerable drivers by low-privileged users.
## References
- Vendor Advisory: SSA-369369 (Latest Version V1.1, published 2025-04-08)
- Siemens ProductCERT Advisories: hxxps://www.siemens.com/cert/advisories
- Operational Guidelines: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security