Full Report
Several tools for the SIMOTION system are affected by a local privilege escalation vulnerability. This could allow an attacker to execute arbitrary code with SYSTEM privileges when a legitimate user installs an application that uses the affected setup component. This vulnerability poses a risk only during setup and installation phase of the affected tools. Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Local Privilege Escalation in Siemens SIMOTION Tools
## CVE Details
- **CVE ID:** CVE-2025-43715
- **CVSS Score:** 8.1 (High)
- **CWE:** CWE-754: Improper Check for Unusual or Exceptional Conditions
## Affected Systems
- **Products:**
- SIMATIC Technology Package TPCamGen (6ES7823-0FE30-1AA0)
- SIMOTION OA MIIF (6AU1820-3DA20-0AB0)
- SIMOTION OACAMGEN (6AU1820-3EA20-0AB0)
- SIMOTION OALECO (6AU1820-3HA20-0AB0)
- SIMOTION OAVIBX (6AU1820-3CA20-0AB0)
- **Versions:** All versions of the products listed above.
- **Configurations:** The vulnerability is active specifically during the **setup and installation phase** on Windows operating systems.
## Vulnerability Description
The affected tools utilize the Nullsoft Scriptable Install System (NSIS) for their installers. Due to a flaw in NSIS (versions prior to 3.11), the installer creates a temporary plugins directory under `%WINDIR%\temp`. Because the `EW_CREATEDIR` function fails to consistently set the `CreateRestrictedDirectory` error flag, the directory permissions may allow unprivileged users to write to it. A local attacker can exploit a race condition to place a malicious executable in this directory, which is subsequently executed with **SYSTEM** privileges by the installer.
## Exploitation
- **Status:** PoC available (Note: The underlying NSIS flaw is a known public vulnerability).
- **Complexity:** High (Requires winning a race condition during the installation window).
- **Attack Vector:** Local
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
- **Overall Impact:** Full compromise of the local system via arbitrary code execution as SYSTEM.
## Remediation
### Patches
- **SIMATIC Technology Package TPCamGen:** No fix is currently available; Siemens is preparing fix versions.
- **SIMOTION OA MIIF, OACAMGEN, OALECO, OAVIBX:** No fix is currently planned.
### Workarounds
- **Installation Hygiene:** Ensure that no other users are logged into the system and no unknown or untrusted programs are running simultaneously while executing the installer for affected products.
- **Environment Hardening:** Follow Siemens' operational guidelines for Industrial Security to operate devices within protected IT environments.
## Detection
- **Indicators of Compromise:** Monitor for suspicious file creation activity in `%WINDIR%\temp` during the execution of Siemens software installers.
- **Detection methods:** Audit process execution logs for unauthorized processes inheriting SYSTEM privileges from an installer parent process.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-563922[.]pdf
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories
- **Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security