CVE-2025-40572
📋 TL;DR
A local privilege escalation vulnerability in Siemens SCALANCE LPE9403 industrial routers allows non-privileged local attackers to access sensitive information stored on the device. This affects all versions before V4.0 HF0 due to improper permission assignment to critical resources.
💻 Affected Systems
- Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains access to sensitive configuration data, credentials, or network information that could facilitate further attacks on industrial control systems.
Likely Case
Unauthorized access to device logs, configuration files, or network settings that could reveal operational details or weak security configurations.
If Mitigated
Limited impact with proper network segmentation and access controls preventing local attacker access to vulnerable devices.
🎯 Exploit Status
Requires local access and some technical knowledge of the device's file system and permission structure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V4.0 HF0
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-327438.html
Restart Required: Yes
Instructions:
1. Download firmware V4.0 HF0 from Siemens support portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface or console. 4. Restart device. 5. Restore configuration if needed.
🔧 Temporary Workarounds
Restrict physical and network access
allLimit who can physically access the device and restrict network access to management interfaces
Implement strict user access controls
allEnsure only authorized personnel have local login credentials and monitor access logs
🧯 If You Can't Patch
- Implement strict physical security controls around device location
- Segment industrial network to limit lateral movement if device is compromised
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > Device Information) or CLI command 'show version'Check Version:
show versionVerify Fix Applied:
Confirm firmware version is V4.0 HF0 or later in device information📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login
- Unusual file access patterns in system logs
- Configuration changes from non-privileged accounts
Network Indicators:
- Unusual traffic patterns from the device
- Attempts to access management interfaces from unauthorized sources
SIEM Query:
source="scalance-logs" AND (event_type="file_access" OR event_type="permission_change") AND user!="admin"