DHS

Category Added in a WPeMatico Campaign

There are 849 posts filed in DHS (this is page 8 of 85).

Threat Actors Target U.S. Critical Infrastructure with LummaC2 Malware

Today, CISA and the Federal Bureau of Investigation released a joint Cybersecurity Advisory, LummaC2 Malware Targeting U.S. Critical Infrastructure Sectors.

This advisory details the tactics, techniques, and procedures, and indicators of compromise (IOCs) linked to threat actors deploying LummaC2 malware. This malware poses a serious threat, capable of infiltrating networks and exfiltrating sensitive information, to vulnerable individuals’ and organizations’ computer networks across U.S. critical infrastructure sectors.

As recently as May 2025, threat actors have been observed using LummaC2 malware, underscoring the ongoing threat. The advisory includes IOCs tied to infections from November 2023 through May 2025. Organizations are strongly urged to review the advisory and implement the recommended mitigations to reduce exposure and impact.

Schneider Electric Galaxy VS, Galaxy VL, Galaxy VXL

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 10.0
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Galaxy VS, Galaxy VL, Galaxy VXL
  • Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to perform unauthenticated remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Schneider Electric products are affected:

  • Galaxy VS: All versions
  • Galaxy VL: All versions
  • Galaxy VXL: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

CVE-2025-32433 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric is establishing a remediation plan for all future versions of Galaxy VS, Galaxy VL, and Galaxy VXL that will include a fix for this vulnerability. Schneider Electric will update this document when the remediation is available. Until then, users should immediately apply the following mitigations to reduce the risk of exploit:

  • Log on to the NMC4 via the Web Interface. Once logged into the system, navigate to the Console settings page from the menu bar by selecting Configuration -> Network -> Console -> Access
  • From the Console setting screen, uncheck the enable SSH/SFTP/SCP check box -> Click Apply
  • As an alternative, setup network segmentation and implement a firewall to block all unauthorized access to SSH port 22/TCP.
  • If assistance is needed applying the above mitigation, please contact our technical support team: https://www.se.com/ww/en/work/support/

To learn more, Schneider Electric recommends reviewing the Network Management Card 4 Security Handbook for specific actions available here to secure your devices further: https://www.se.com/us/en/download/document/SPD_CCON-B8EJSJ_EN/

To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here: https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

Schneider Electric strongly recommends the following industry cybersecurity best practices:

  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Place all controllers in locked cabinets and never leave them in the “Program” mode.
  • Never connect programming software to any network other than the network intended for that device.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-133-05 Galaxy VS, Galaxy VL, Galaxy VXL – SEVD-2025-133-01 PDF Version, Galaxy VS, Galaxy VL, Galaxy VXL – SEVD-2025-133-01 CSAF Version.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 20, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-133-05

Siemens Siveillance Video

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 5.5
  • ATTENTION: Exploitable remotely
  • Vendor: Siemens
  • Equipment: Siveillance Video
  • Vulnerability: Missing Encryption of Sensitive Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could remove password protection from the system configuration files, also affecting backup data sets that were created after the update to V2024 R1.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • Siemens Siveillance Video: Versions V24.1 and later

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

Milestone Systems has discovered a security vulnerability in Milestone XProtect installer that resets system configuration password after the upgrading from older versions using specific installers. The system configuration password is an additional, optional protection that is enabled on the Management Server. To mitigate the issue, we highly recommend updating system configuration password via GUI with a standard procedure. Any system upgraded with 2024 R1 or 2024 R2 release installer is vulnerable to this issue. Systems upgraded from 2023 R3 or older with version 2025 R1 and newer are not affected.

CVE-2025-1688 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-1688. A base score of 5.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Milestone PSIRT reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce risk:

  • Siveillance Video: Change the system configuration password settings (see page 268 in “Siveillance Video 2024 R1 Administrator Manual”)
  • Siveillance Video: Currently no fix is available

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information, see the associated Siemens security advisory SSA-552330 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

  • May 20, 2025: Initial Republication of Siemens SSA-552330

National Instruments Circuit Design Suite

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.4
  • ATTENTION: Low attack complexity
  • Vendor: National Instruments
  • Equipment: Circuit Design Suite
  • Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read, Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following National Instruments products are affected:

  • Circuit Design Suite: Versions 14.3.0 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

An out-of-bounds write vulnerability in DecodeBase64() within Circuit Design Suite, caused by improper input validation, may result in arbitrary code execution. To exploit this flaw, an attacker must trick a user into opening a specially crafted SYM file.

CVE-2025-30417 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30417. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS WRITE CWE-787

An out-of-bounds write vulnerability in CheckPins() within Circuit Design Suite, caused by improper input validation, may result in arbitrary code execution. To exploit this flaw, an attacker must trick a user into opening a specially crafted SYM file.

CVE-2025-30418 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30418. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 OUT-OF-BOUNDS READ CWE-125

An out-of-bounds read vulnerability in GetSymbolBorderRectSize() within Circuit Design Suite, caused by improper input validation, may result in information disclosure or arbitrary code execution. To exploit this flaw, an attacker must trick a user into opening a specially crafted SYM file.

CVE-2025-30419 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30419. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 OUT-OF-BOUNDS READ CWE-125

An out-of-bounds read vulnerability in InternalDraw within Circuit Design Suite, caused by improper input validation, may result in information disclosure or arbitrary code execution. To exploit this flaw, an attacker must trick a user into opening a specially crafted SYM file.

CVE-2025-30420 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30420. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 STACK-BASED BUFFER OVERFLOW CWE-121

A stack-based buffer overflow vulnerability within Circuit Design Suite, caused by improper input validation, may result in arbitrary code execution. To exploit this flaw, an attacker must trick a user into opening a specially crafted SYM file.

CVE-2025-30421 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30421. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Communications, Defense Industrial Base, Government Services and Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

National Instruments recommends users update to version 14.3.1 or later.

Please see National Instruments security update for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 20, 2025: Initial Publication

ECOVACS DEEBOT Vacuum and Base Station

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.6
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: ECOVACS
  • Equipment: DEEBOT Vacuum and Base Station
  • Vulnerabilities: Use of Hard-coded Cryptographic Key, Download of Code Without Integrity Check

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to send malicious updates to the devices or execute code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ECOVACS reports the following DEEBOT vacuum and base station devices are affected:

  • X1S PRO: Versions prior to 2.5.38
  • X1 PRO OMNI: Versions prior to 2.5.38
  • X1 OMNI: Versions prior to 2.4.45
  • X1 TURBO: Versions prior to 2.4.45
  • T10 Series: Versions prior to 1.11.0
  • T20 Series: Versions prior to 1.25.0
  • T30 Series: Versions prior to 1.100.0

3.2 VULNERABILITY OVERVIEW

3.2.1 Use of Hard-coded Cryptographic Key CWE-321

ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK. The key can be easily derived from the device serial number.

CVE-2025-30198 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-30198. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.2 Download of Code Without Integrity Check CWE-494

ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station.

CVE-2025-30199 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30199. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Use of Hard-coded Cryptographic Key CWE-321

ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived from the device serial number.

CVE-2025-30200 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-30200. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Dennis Giese, Braelynn Luedtke, and Chris Anderson reported these vulnerabilities to ECOVACS.

4. MITIGATIONS

ECOVACS has released software updates for the X1S PRO and X1 PRO OMNI. The remaining affected products will have updates available by May 31, 2025. Devices that support automatic updates will receive system update notifications. ECOVACS has proactively pushed the update to users, ensuring all users will be covered by May 31st. Users can complete the fix by performing the system update.

For more information, see ECOVACS security advisory.

Users can contact ECOVACS using information provided on their website.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 15, 2025: Initial Publication

Siemens IPC RS-828A

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 10.0
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: IPC RS-828A
  • Vulnerability: Authentication Bypass by Spoofing

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access and compromise confidentiality, integrity and availability of the BMC and thus the entire system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following rugged industrial PCs are affected:

  • SIMATIC IPC RS-828A: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 AUTHENTICATION BYPASS BY SPOOFING CWE-290

AMI’s SPx contains a vulnerability in the BMC where an attacker may bypass authentication remotely through the Redfish Host Interface. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.

CVE-2024-54085 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-54085. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available. Ensure access to the BMC network interface (X1P1) is limited to trusted networks only.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-446307 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 15, 2025: Initial Republication of Siemens SSA-446307

Siemens VersiCharge AC Series EV Chargers

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable from adjacent network/low attack complexity
  • Vendor: Siemens
  • Equipment: VersiCharge AC Series EV Chargers
  • Vulnerabilities: Missing Immutable Root of Trust in Hardware, Initialization of a Resource with an Insecure Default

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain control of the chargers through default Modbus port or execute arbitrary code by manipulating the M0 firmware.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • Siemens IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0): All versions (CVE-2025-31929)
  • Siemens IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2): All versions (CVE-2025-31929)
  • Siemens IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1): All versions (CVE-2025-31929)
  • Siemens IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2): All versions (CVE-2025-31929)
  • Siemens IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0): All versions (CVE-2025-31929)
  • Siemens IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0): All versions (CVE-2025-31929)
  • Siemens IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0): All versions (CVE-2025-31929)
  • Siemens IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1): All versions (CVE-2025-31929)
  • Siemens IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2): All versions (CVE-2025-31929)
  • Siemens IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1): All versions (CVE-2025-31929)
  • Siemens IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2): All versions (CVE-2025-31929)
  • Siemens IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0): All versions (CVE-2025-31929)
  • Siemens IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1): All versions (CVE-2025-31929)
  • Siemens IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2): All versions (CVE-2025-31929)
  • Siemens IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0): All versions (CVE-2025-31929)
  • Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1): All versions (CVE-2025-31929)
  • Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2): All versions (CVE-2025-31929)
  • Siemens IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0): All versions (CVE-2025-31929)
  • Siemens IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1): All versions (CVE-2025-31929)
  • Siemens IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2): All versions (CVE-2025-31929)
  • Siemens IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2): All versions (CVE-2025-31929)
  • Siemens UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0): All versions (CVE-2025-31929)
  • Siemens IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1): All versions (CVE-2025-31929)
  • Siemens UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0): All versions (CVE-2025-31929)
  • Siemens UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0): All versions (CVE-2025-31929)
  • Siemens UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2): All versions (CVE-2025-31929)
  • Siemens UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2): All versions (CVE-2025-31929)
  • Siemens UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2): All versions (CVE-2025-31929)
  • Siemens IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2): All versions (CVE-2025-31929)
  • Siemens UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2): All versions (CVE-2025-31929)
  • Siemens UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1): All versions (CVE-2025-31929)
  • Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2): All versions (CVE-2025-31929)
  • Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2): All versions (CVE-2025-31929)
  • Siemens IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2): All versions (CVE-2025-31929)
  • Siemens UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens UL Resi High End 40A w/15118 Hw (8EM1312-4CF18-0FA3): All versions (CVE-2025-31929)
  • Siemens UL Resi High End 48A w/15118 Hw (8EM1312-5CF18-0FA3): All versions (CVE-2025-31929)
  • Siemens VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): All versions (CVE-2025-31929)
  • Siemens VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2): All versions prior to V2.135 (CVE-2025-31930)
  • Siemens IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1): All versions (CVE-2025-31929)

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING IMMUTABLE ROOT OF TRUST IN HARDWARE CWE-1326

The affected devices do not contain an Immutable Root of Trust in the M0 Hardware. An attacker with physical access to the device could use this to execute arbitrary code.

CVE-2025-31929 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31929. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188

The affected devices contain the Modbus service enabled by default. This could allow an attacker connected to the same network to remotely control the EV charger.

CVE-2025-31930 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-31930. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • (CVE-2025-31929) IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0), IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0), IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1), IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2), IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1), IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2), IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1), IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2), IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0), IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0), IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0), IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1), IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2), IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1), IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2), IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1), IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2), IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0), IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1), IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2), UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2), UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0), UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0), UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0), UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2), UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2), UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2), UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2), UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1), UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2), UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2), UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2), UL Resi High End 40A w/15118 Hw (8EM1312-4CF18-0FA3), UL Resi High End 48A w/15118 Hw (8EM1312-5CF18-0FA3), VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): Currently no fix is planned
  • (CVE-2025-31930) IEC 1Ph 7.4kW Child socket (8EM1310-2EH04-0GA0), IEC 1Ph 7.4kW Child socket/ shutter (8EM1310-2EN04-0GA0), IEC 1Ph 7.4kW Parent cable 7m (8EM1310-2EJ04-3GA1), IEC 1Ph 7.4kW Parent cable 7m incl. SIM (8EM1310-2EJ04-3GA2), IEC 1Ph 7.4kW Parent socket (8EM1310-2EH04-3GA1), IEC 1Ph 7.4kW Parent socket incl. SIM (8EM1310-2EH04-3GA2), IEC 1Ph 7.4kW Parent socket/ shutter (8EM1310-2EN04-3GA1), IEC 1Ph 7.4kW Parent socket/ shutter SIM (8EM1310-2EN04-3GA2), IEC 3Ph 22kW Child cable 7m (8EM1310-3EJ04-0GA0), IEC 3Ph 22kW Child socket (8EM1310-3EH04-0GA0), IEC 3Ph 22kW Child socket/ shutter (8EM1310-3EN04-0GA0), IEC 3Ph 22kW Parent cable 7m (8EM1310-3EJ04-3GA1), IEC 3Ph 22kW Parent cable 7m incl. SIM (8EM1310-3EJ04-3GA2), IEC 3Ph 22kW Parent socket (8EM1310-3EH04-3GA1), IEC 3Ph 22kW Parent socket incl. SIM (8EM1310-3EH04-3GA2), IEC 3Ph 22kW Parent socket/ shutter (8EM1310-3EN04-3GA1), IEC 3Ph 22kW Parent socket/ shutter SIM (8EM1310-3EN04-3GA2), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA0), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA1), IEC ERK 3Ph 22 kW Child cable 7m (8EM1310-3FJ04-0GA2), IEC ERK 3Ph 22 kW Child socket (8EM1310-3FH04-0GA0), IEC ERK 3Ph 22 kW Parent socket (8EM1310-3FH04-3GA1), IEC ERK 3Ph 22 kW Parent socket incl. SI (8EM1310-3FH04-3GA2), UL Commercial Cellular 48A NTEP (8EM1310-5HF14-1GA2), UL Commercial Child 40A w/ 15118 HW (8EM1310-4CF14-0GA0), UL Commercial Child 48A BA Compliant (8EM1315-5CG14-0GA0), UL Commercial Child 48A w/ 15118 HW (8EM1310-5CF14-0GA0), UL Commercial Parent 40A with Simcard (8EM1310-4CF14-1GA2), UL Commercial Parent 48A (USPS) (8EM1317-5CG14-1GA2), UL Commercial Parent 48A BA Compliant (8EM1315-5CG14-1GA2), UL Commercial Parent 48A with Simcard BA (8EM1310-5CF14-1GA2), UL Commercial Parent 48A, 15118, 25ft (8EM1310-5CG14-1GA1), UL Commercial Parent 48A, 15118, 25ft (8EM1314-5CG14-2FA2), UL Commercial Parent 48A, 15118, 25ft (8EM1315-5HG14-1GA2), UL Commercial Parent 48A,15118 25ft Sim (8EM1310-5CG14-1GA2), VersiCharge Blue™ 80A AC Cellular (8EM1315-7BG16-1FH2): Update to V2.135 or later version. The latest version will be pushed to the device OTA if the charger is completely commissioned and connected to Siemens Device Management. Contact Siemens Customer Service for further assistance or troubleshooting.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-556937 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens Advisory SSA-556937

Siemens Mendix OIDC SSO

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 2.1
  • ATTENTION: Exploitable remotely
  • Vendor: Siemens
  • Equipment: Mendix OIDC SSO
  • Vulnerability: Incorrect Privilege Assignment

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to modify the system and gain administrator read/write privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

  • Siemens Mendix OIDC SSO (Mendix 9 compatible): All versions
  • Siemens Mendix OIDC SSO (Mendix 10 compatible): All versions before V4.0.0

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT PRIVILEGE ASSIGNMENT CWE-266

The Mendix OIDC SSO module grants read and write access to all tokens exclusively to the Administrator role, which could result in privilege misuse by an adversary modifying the module during Mendix development.

CVE-2025-40571 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40571. A base score of 2.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Financial Services, Healthcare and Public Health, Transportation Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • All affected products: The default configuration of the OIDC.Token entity is set to restrict read/write access only to the administrator role. If this setting is not restrictive enough, the option arises to change the access rule of the specific entity, or to create a different user role to handle different administrative tasks.
  • Mendix OIDC SSO (Mendix 9 compatible): Currently no fix is available.
  • Mendix OIDC SSO (Mendix 10 compatible): Update to V4.0.0 or a later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-726617 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens ProductCERT SSA-726617

Siemens SIRIUS 3SK2 Safety Relays and 3RK3 Modular Safety Systems

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: SIRIUS 3RK3 Modular Safety System (MSS), SIRIUS Safety Relays 3SK2
  • Vulnerabilities: Use of a Broken or Risky Cryptographic Algorithm, Missing Encryption of Sensitive Data, Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to retrieve and de-obfuscate safety password, eavesdrop connections, or retrieve sensitive information from certain data records.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • SIRIUS 3RK3 Modular Safety System (MSS): All versions
  • SIRIUS Safety Relays 3SK2: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327

Affected devices only provide weak password obfuscation. An attacker with network access could retrieve and de-obfuscate the safety password used for protection against inadvertent operating errors.

CVE-2025-24007 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24007. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

The affected devices do not encrypt data in transit. An attacker with network access could eavesdrop the connection and retrieve sensitive information, including obfuscated safety passwords.

CVE-2025-24008 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24008. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

The affected devices do not require authentication to access critical resources. An attacker with network access could retrieve sensitive information from certain data records, including obfuscated safety passwords.

CVE-2025-24009 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24009. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Nikolai Puch, Johanna Latzel, and Ferdinand Jarisch from Fraunhofer AISEC reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens is preparing fixed versions and recommends countermeasures for products where fixes are not, or not yet available:

  • SIRIUS 3RK3 Modular Safety System (MSS): Currently no fix is planned.
  • SIRIUS Safety Relays 3SK2: Currently no fix is available.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Limit physical access to affected devices to trusted personnel.
  • Ensure network isolation of the PROFINET interface to prevent access from unauthorized systems.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-222768 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 15, 2025: Initial Republication of Siemens ProductCERT SSA-222768