Full Report
SICAM Q100 and Q200 devices are affected by two information disclosure vulnerabilities that could allow an authenticated local attacker to extract the SMTP account password and use the configured SMTP service for arbitrary purposes. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Information Disclosure in Siemens SICAM Q100/Q200 SMTP Configuration
## CVE Details
- **CVE ID:** CVE-2025-40752, CVE-2025-40753
- **CVSS Score:** 6.2 (Medium) — CVSS v3.1 / 6.8 (Medium) — CVSS v4.0
- **CWE:** CWE-312: Cleartext Storage of Sensitive Information
## Affected Systems
- **Products:**
- POWER METER SICAM Q100 (7KG9501-0AA31-2AA1)
- POWER METER SICAM Q200 (7KG9501-0AA01-2AA1 / 7KG9505-0AA31-2AA1)
- **Versions:**
- All versions >= V2.60
- All versions >= V2.70
- (Specific range: V2.60 up to, but excluding, V2.80)
- **Configurations:** Devices where the SMTP service is configured for alerts or communication.
## Vulnerability Description
The affected Siemens SICAM devices suffer from two distinct information disclosure flaws related to credential handling:
- **CVE-2025-40752:** The device stores the SMTP account password in plain text within its internal storage.
- **CVE-2025-40753:** The device exports the SMTP account password in plain text when a user generates a "Configuration File" export.
In both instances, the lack of encryption or hashing for sensitive credentials allows an attacker with access to the system to retrieve the password.
## Exploitation
- **Status:** Not exploited (No reports of exploitation in the wild at time of publication).
- **Complexity:** Low
- **Attack Vector:** Local (Requires local authenticated access to the device or the exported configuration files).
## Impact
- **Confidentiality:** High (Full disclosure of SMTP service credentials).
- **Integrity:** None (The vulnerability itself does not modify data, though the stolen credentials could be used to send fraudulent emails).
- **Availability:** None.
## Remediation
### Patches
Siemens recommends updating affected products to the following versions or later:
- **SICAM Q100 / Q200:** Update to **V2.80** or later.
- Firmware can be obtained via the Siemens Industry Online Support portal: hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109743592/
### Workarounds
The advisory does not list specific technical workarounds but emphasizes general security posture:
- Restrict device access to authorized personnel only.
- Implement network segmentation and firewalls to protect device management interfaces.
- Protect exported configuration files as sensitive documents.
## Detection
- **Indicators of Compromise:** Unusual activity on the configured SMTP server (e.g., unauthorized emails originating from the SICAM device's account).
- **Detection Methods:** Audit device logs for unauthorized local logins and monitor the frequency of configuration file exports. Ensure file integrity monitoring is applied to any backups of the device configuration.
## References
- **Siemens Security Advisory SSA-529291:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-529291[.]pdf
- **Siemens Grid Security Guidelines:** hxxps://www[.]siemens[.]com/gridsecurity
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories