PatchSiren cyber security CVE debrief
CVE-2025-27395 Siemens CVE debrief
CVE-2025-27395 is a high-severity issue in Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2) affecting SFTP access controls. According to the CISA CSAF advisory, affected devices do not properly limit the scope of files accessible through SFTP or the privileges associated with that functionality. In practical terms, an authenticated remote attacker with high privileges could read and write arbitrary files on the device. Siemens and CISA list a vendor fix: update to V4.0 or later.
- Vendor
- Siemens
- Product
- SCALANCE LPE9403 (6GK5998-3GS00-2AC2)
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-03-11
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-03-11
- Advisory updated
- 2025-05-06
Who should care
Operators and administrators of Siemens SCALANCE LPE9403 devices, especially OT/ICS teams that allow SFTP access for maintenance or file transfer. Security teams responsible for privileged account control, device hardening, and patch management in industrial environments should prioritize review.
Technical summary
The advisory describes an authorization and access-scope failure in the device’s SFTP functionality. The weakness is not a lack of authentication; rather, it affects what an already authenticated, highly privileged remote user can do once connected. The result is potential arbitrary file read/write on the appliance, which raises the risk of configuration tampering, data exposure, or device integrity impact. The published CVSS vector reflects network reachability, low attack complexity, required high privileges, and high impact to confidentiality, integrity, and availability.
Defensive priority
High. The issue requires high privileges, but the impact is broad and the affected product is used in industrial settings where file integrity and device configuration matter. Patch promptly and review any exposed or privileged SFTP usage.
Recommended defensive actions
- Update Siemens SCALANCE LPE9403 to V4.0 or later as directed in the vendor remediation.
- Review which accounts can use SFTP and ensure only strictly necessary privileged users retain access.
- Restrict network reachability to management and file-transfer interfaces to trusted administrative sources only.
- Monitor for unexpected file changes, configuration drift, or suspicious SFTP activity on affected devices.
- Validate backups and recovery procedures so the device can be restored if file tampering occurs.
- Consult the Siemens advisory and CISA ICS guidance for device-specific hardening and industrial network defense practices.
Evidence notes
This debrief is based only on the supplied CISA CSAF record for ICSA-25-072-06 and the linked Siemens advisory references. The advisory text explicitly states that affected devices do not properly limit the scope of files accessible through SFTP and the privileges of the SFTP functionality, enabling an authenticated highly-privileged remote attacker to read and write arbitrary files. The published date used here is 2025-03-11, with a later 2025-05-06 revision noted as typo fixes.
Official resources
-
CVE-2025-27395 CVE record
CVE.org
-
CVE-2025-27395 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-03-11 via the CISA CSAF advisory ICSA-25-072-06; revised on 2025-05-06 for typo fixes. No Known Exploited Vulnerabilities listing was provided in the supplied data.