CVE-2025-40574 Siemens CVE debrief

Who should care

OT operators, industrial network administrators, Siemens SCALANCE LPE9403 owners, and incident responders responsible for on-premises device access control and hardening.

Technical summary

The source advisory describes a permissions/authorization weakness on Siemens SCALANCE LPE9403. The attack vector is local, with low privileges and no user interaction required (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The affected component named in the advisory is the backupmanager service. Because the advisory says no fix is currently available, exposure should be reduced through strict local-access controls and OT defense-in-depth measures.

Defensive priority

High. The CVSS score is 7.8, the attacker only needs local low-privilege access, and the advisory indicates no patch was available at publication.

Recommended defensive actions

• Restrict access to SCALANCE LPE9403 devices to authorized and trusted personnel only, as recommended in the advisory.
• Review and minimize who can obtain local or administrative access to affected devices; remove unnecessary access paths where possible.
• Apply OT defense-in-depth controls such as segmentation and least-privilege administration, using CISA ICS recommended practices.
• Track Siemens and CISA advisory updates for any future fix or revised mitigation guidance and plan remediation when available.

Evidence notes

This debrief is based only on the supplied CISA CSAF advisory ICSA-25-135-18 and the linked Siemens/CISA references. The source explicitly identifies Siemens SCALANCE LPE9403 as the affected product, describes the issue as improper assignment of permissions to critical resources, names backupmanager as the service a non-privileged local attacker could interact with, and states that no fix was available at publication. The published and modified dates supplied for the CVE and source are both 2025-05-13.

Official resources