PatchSiren cyber security CVE debrief
CVE-2025-23403 Siemens CVE debrief
CVE-2025-23403 affects Siemens SIMATIC IPC DiagBase and SIMATIC IPC DiagMonitor. An authenticated attacker with local access could abuse overly broad registry-key permissions to load vulnerable drivers, potentially escalating privileges or bypassing endpoint protection and other security controls.
- Vendor
- Siemens
- Product
- SIMATIC IPC DiagBase
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-11
- Original CVE updated
- 2025-04-08
- Advisory published
- 2025-02-11
- Advisory updated
- 2025-04-08
Who should care
OT/ICS operators, Siemens SIMATIC IPC administrators, Windows endpoint/security teams, and asset owners responsible for systems running SIMATIC IPC DiagBase or SIMATIC IPC DiagMonitor.
Technical summary
The advisory states that the affected device does not properly restrict user permissions for a registry key. In the documented impact, an authenticated attacker could use that weakness to load vulnerable drivers into the system, leading to privilege escalation or bypass of endpoint protection and similar security measures. The supplied CVSS vector reflects local access, low privileges, high attack complexity, no user interaction, and high impact.
Defensive priority
High for exposed Siemens IPC environments, especially where local authenticated users or service accounts exist. The issue is not remote, but the impact is severe and Siemens lists no fix planned, so compensating controls and registry hardening should be prioritized.
Recommended defensive actions
- Apply Siemens’ mitigation to remove the user privilege by modifying the registry manually or by running the provided script.
- Consult the Siemens FAQ/support document referenced in the advisory before making registry changes.
- Inventory all systems running SIMATIC IPC DiagBase and SIMATIC IPC DiagMonitor to confirm exposure.
- Restrict and review local authenticated access on affected hosts, including service accounts and admin delegation.
- Monitor for unexpected driver-loading activity and registry-permission changes on affected devices.
- Follow Siemens and CISA industrial-control-system defensive guidance to reduce the impact of local privilege escalation paths.
- Plan for compensating controls because the advisory states that no fix is currently planned.
Evidence notes
The debrief is based on the supplied Siemens/CISA CSAF advisory for ICSA-25-044-12. The source advisory was published on 2025-02-11 and later modified on 2025-04-08; the modified date reflects an acknowledgment update, not a new vulnerability disclosure. The advisory explicitly lists the affected products, the registry-permission weakness, the local authenticated attack scenario, the mitigation, and the statement that no fix is planned.
Official resources
-
CVE-2025-23403 CVE record
CVE.org
-
CVE-2025-23403 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by Siemens and CISA in advisory ICSA-25-044-12 on 2025-02-11; the advisory record was modified on 2025-04-08 to add an acknowledgment.