Full Report
Siemens has released a new version for SIMATIC RTLS Locating Manager and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SIMATIC RTLS Locating Manager
## CVE Details
- **CVE ID:** CVE-2025-30034
- **CVSS Score:** 6.9 (Medium) [CVSS v4.0] / 6.2 (Medium) [CVSS v3.1]
- **CWE:** CWE-617 (Reachable Assertion)
- **CVE ID:** CVE-2025-40751
- **CVSS Score:** 4.8 (Medium) [CVSS v4.0] / 6.3 (Medium) [CVSS v3.1]
- **CWE:** CWE-522 (Insufficiently Protected Credentials)
## Affected Systems
- **Products:** SIMATIC RTLS Locating Manager
- **Versions:** All versions prior to V3.3
- **Configurations:**
- **CVE-2025-30034:** Affects the listening port on the local loopback interface.
- **CVE-2025-40751:** Specifically affects Report Clients during server authentication.
## Vulnerability Description
- **CVE-2025-30034:** The application fails to properly validate input sent to its listening port via the local loopback interface. A local attacker can exploit this lack of validation to trigger a reachable assertion, resulting in a Denial of Service (DoS) condition.
- **CVE-2025-40751:** The Report Client component does not sufficiently protect credentials used to authenticate with the server. This flaw allows an authenticated local user to extract these credentials, enabling privilege escalation from a standard "Manager" role to a "Systemadministrator" role.
## Exploitation
- **Status:** Not exploited (No mention of active exploitation or public PoC in advisory)
- **Complexity:** Low
- **Attack Vector:** Local (Both vulnerabilities require local access to the system)
## Impact
- **Confidentiality:**
- CVE-2025-30034: None
- CVE-2025-40751: Low (Credential extraction)
- **Integrity:**
- CVE-2025-30034: None
- CVE-2025-40751: Low (Privilege escalation)
- **Availability:**
- CVE-2025-30034: High (Denial of Service)
- CVE-2025-40751: Low
## Remediation
### Patches
- Siemens recommends updating SIMATIC RTLS Locating Manager to **version V3.3 or later**.
- Patch Download: [https://support.industry.siemens.com/cs/ww/en/view/109992600/](https://support.industry.siemens.com/cs/ww/en/view/109992600/)
### Workarounds
- No specific software workarounds provided.
- **General Mitigation:**
- Protect network access to devices using robust security mechanisms.
- Follow Siemens' operational guidelines for Industrial Security to ensure the product operates within a protected IT environment.
## Detection
- **Indicators of Compromise:**
- Application crashes or service unavailability (specifically related to the loopback interface listening port).
- Unexplained privilege escalations within the Locating Manager software (from "Manager" to "Systemadministrator").
- **Detection methods and tools:** Monitor system logs for repeated crashes of RTLS Locating Manager services and audit user account role changes within the application.
## References
- **Vendor Advisory:** [https://cert-portal.siemens.com/productcert/html/ssa-707630.html](https://cert-portal.siemens.com/productcert/html/ssa-707630.html)
- **Siemens Industrial Security: ** [https://www.siemens.com/industrialsecurity](https://www.siemens.com/industrialsecurity)
- **Operational Guidelines:** [https://www.siemens.com/cert/operational-guidelines-industrial-security](https://www.siemens.com/cert/operational-guidelines-industrial-security)