CVE-2025-40742
📋 TL;DR
This vulnerability in Siemens SIPROTEC 5 devices exposes session identifiers in URL requests, potentially allowing attackers to retrieve sensitive session data from browser history, logs, or storage. This could lead to unauthorized access to critical industrial control systems. All listed SIPROTEC 5 devices with CP050, CP100, CP150, and CP300 hardware platforms are affected.
💻 Affected Systems
- SIPROTEC 5 6MD84 (CP300)
- SIPROTEC 5 6MD85 (CP300)
- SIPROTEC 5 6MD86 (CP300)
- SIPROTEC 5 6MD89 (CP300)
- SIPROTEC 5 6MD89 (CP300) V9.6
- SIPROTEC 5 6MU85 (CP300)
- SIPROTEC 5 7KE85 (CP300)
- SIPROTEC 5 7SA82 (CP100)
- SIPROTEC 5 7SA82 (CP150)
- SIPROTEC 5 7SA86 (CP300)
- SIPROTEC 5 7SA87 (CP300)
- SIPROTEC 5 7SD82 (CP100)
- SIPROTEC 5 7SD82 (CP150)
- SIPROTEC 5 7SD86 (CP300)
- SIPROTEC 5 7SD87 (CP300)
- SIPROTEC 5 7SJ81 (CP100)
- SIPROTEC 5 7SJ81 (CP150)
- SIPROTEC 5 7SJ82 (CP100)
- SIPROTEC 5 7SJ82 (CP150)
- SIPROTEC 5 7SJ85 (CP300)
- SIPROTEC 5 7SJ86 (CP300)
- SIPROTEC 5 7SK82 (CP100)
- SIPROTEC 5 7SK82 (CP150)
- SIPROTEC 5 7SK85 (CP300)
- SIPROTEC 5 7SL82 (CP100)
- SIPROTEC 5 7SL82 (CP150)
- SIPROTEC 5 7SL86 (CP300)
- SIPROTEC 5 7SL87 (CP300)
- SIPROTEC 5 7SS85 (CP300)
- SIPROTEC 5 7ST85 (CP300)
- SIPROTEC 5 7ST86 (CP300)
- SIPROTEC 5 7SX82 (CP150)
- SIPROTEC 5 7SX85 (CP300)
- SIPROTEC 5 7SY82 (CP150)
- SIPROTEC 5 7UM85 (CP300)
- SIPROTEC 5 7UT82 (CP100)
- SIPROTEC 5 7UT82 (CP150)
- SIPROTEC 5 7UT85 (CP300)
- SIPROTEC 5 7UT86 (CP300)
- SIPROTEC 5 7UT87 (CP300)
- SIPROTEC 5 7VE85 (CP300)
- SIPROTEC 5 7VK87 (CP300)
- SIPROTEC 5 7VU85 (CP300)
- SIPROTEC 5 Compact 7SX800 (CP050)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to industrial control systems, potentially disrupting power grid operations, causing equipment damage, or manipulating protection relays.
Likely Case
Session hijacking leading to unauthorized access to device configuration interfaces, potentially altering protection settings or monitoring data.
If Mitigated
Limited impact with proper network segmentation, access controls, and monitoring in place.
🎯 Exploit Status
Exploitation requires access to URL requests containing session identifiers, which could be obtained from browser history, logs, or network captures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Siemens advisory for specific firmware updates
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-904646.html
Restart Required: Yes
Instructions:
1. Review Siemens advisory SSA-904646
2. Identify affected devices in your environment
3. Download appropriate firmware updates from Siemens
4. Apply updates following Siemens documentation
5. Restart devices as required
6. Verify functionality post-update
🔧 Temporary Workarounds
Network Segmentation
allIsolate SIPROTEC devices in dedicated network segments with strict access controls
Access Control Lists
allImplement strict firewall rules to limit access to SIPROTEC web interfaces
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SIPROTEC devices from untrusted networks
- Enable detailed logging and monitoring for unauthorized access attempts to device interfaces
🔍 How to Verify
Check if Vulnerable:
Check device model and hardware platform against affected list, review Siemens advisory for specific firmware versionsCheck Version:
Check via device web interface or DIGSI 5 software - specific commands vary by device modelVerify Fix Applied:
Verify firmware version has been updated to patched version specified in Siemens advisory📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login with different session ID
- Access from unusual IP addresses or locations
- Session ID reuse from different source IPs
Network Indicators:
- HTTP requests containing session IDs in URLs to SIPROTEC devices
- Unusual traffic patterns to device web interfaces
SIEM Query:
source_ip=* AND (dest_ip=SIPROTEC_DEVICE_IP) AND (url CONTAINS "session" OR "sid" OR "token")