Login Sign Up

CVE-2025-27395

7.2 HIGH

📋 TL;DR

This vulnerability in Siemens SCALANCE LPE9403 industrial routers allows authenticated high-privilege attackers to read and write arbitrary files via SFTP. It affects all versions before V4.0 of the 6GK5998-3GS00-2AC2 model. This improper access control could lead to system compromise.

💻 Affected Systems

Products:
  • Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2)
Versions: All versions < V4.0
Operating Systems: Embedded OS on SCALANCE devices
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated high-privilege access to exploit; default configurations may provide such access.

📦 What is this software?

Scalance Lpe9403 Firmware by Siemens

View all CVEs affecting Scalance Lpe9403 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover, configuration manipulation, credential theft, or firmware modification leading to persistent backdoors in industrial networks.

🟠

Likely Case

Unauthorized access to sensitive configuration files, log tampering, or installation of malicious scripts on affected devices.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and monitoring are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated high-privilege access; no public exploit code known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V4.0 or later

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-075201.html

Restart Required: No

Instructions:

1. Download firmware V4.0 or later from Siemens Industrial Security. 2. Backup current configuration. 3. Upload new firmware via web interface or CLI. 4. Verify successful update.

🔧 Temporary Workarounds

Restrict SFTP Access

all

Disable SFTP service if not required, or restrict access to specific trusted IP addresses only.

Implement Least Privilege

all

Review and reduce user privileges to minimum required for operations; remove unnecessary high-privilege accounts.

🧯 If You Can't Patch

  • Network segmentation: Isolate SCALANCE devices in separate VLANs with strict firewall rules.
  • Enhanced monitoring: Implement file integrity monitoring and alert on unusual SFTP activity.

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface (System > Device Information) or CLI 'show version' command.

Check Version:

show version

Verify Fix Applied:

Confirm firmware version is V4.0 or higher and test SFTP access with limited privilege accounts.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SFTP connections from unexpected sources
  • Multiple failed SFTP authentication attempts
  • File access/modification patterns outside normal operations

Network Indicators:

  • SFTP traffic to SCALANCE devices from unauthorized IPs
  • Unusual file transfer sizes or frequencies

SIEM Query:

source="scalance_logs" AND (event="SFTP_ACCESS" OR event="FILE_MODIFY") AND user="admin"

📊 Metadata

CVE ID: CVE-2025-27395
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
EPSS Score: 0.19% exploit probability (40.6th percentile)
Published: March 11, 2025
Last Updated: August 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27395, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)