PatchSiren cyber security CVE debrief
CVE-2025-40572 Siemens CVE debrief
CVE-2025-40572 affects Siemens SCALANCE LPE9403 and was published on 2025-05-13. The issue is an improper permissions problem on critical resources that could let a non-privileged local attacker access sensitive information stored on the device. The advisory classifies the issue as medium severity and notes that no fix was available at publication, with mitigation focused on restricting access to authorized and trusted personnel.
- Vendor
- Siemens
- Product
- SCALANCE LPE9403 (6GK5998-3GS00-2AC2)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-13
- Original CVE updated
- 2025-05-13
- Advisory published
- 2025-05-13
- Advisory updated
- 2025-05-13
Who should care
OT/ICS operators, Siemens SCALANCE LPE9403 administrators, site reliability teams managing industrial network equipment, and defenders responsible for local access control on affected devices.
Technical summary
According to the CISA CSAF advisory and Siemens references, affected SCALANCE LPE9403 devices do not properly assign permissions to critical resources. The resulting exposure is local and requires a non-privileged attacker with local access. The stated impact is confidentiality-only: sensitive information stored on the device may be accessed, while integrity and availability impacts are not described in the source. The provided CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, which aligns with a local, low-privilege disclosure issue.
Defensive priority
Medium. The CVSS score is 5.5, but the lack of an available fix at publication and the potential exposure of sensitive device data make this worth prompt operational attention in environments where local access cannot be tightly controlled.
Recommended defensive actions
- Restrict physical and local access to authorized and trusted personnel only, as stated in the advisory.
- Review who can log in to or otherwise interact locally with the affected SCALANCE LPE9403 devices.
- Apply Siemens and CISA advisory guidance as it becomes available, since the source states no fix was available at publication.
- Treat device-local credential, configuration, and other sensitive data on affected units as potentially exposed if unauthorized local access is possible.
- Follow CISA ICS recommended practices and defense-in-depth guidance for access control and segmentation.
Evidence notes
The source corpus consistently identifies Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2) as the affected product. The advisory description states that permissions to critical resources are not properly assigned and that a non-privileged local attacker could access sensitive information stored on the device. The remediation section says to restrict access to authorized and trusted personnel and also states that no fix is currently available. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, published and modified on 2025-05-13.
Official resources
-
CVE-2025-40572 CVE record
CVE.org
-
CVE-2025-40572 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA and Siemens on 2025-05-13; no fix was available at publication, and the advisory recommends restricting access to authorized and trusted personnel.