PatchSiren cyber security CVE debrief
CVE-2025-40575 Siemens CVE debrief
CVE-2025-40575 is a Siemens SCALANCE LPE9403 issue disclosed on 2025-05-13 in CISA advisory ICSA-25-135-18. The advisory says affected devices do not properly validate incoming Profinet packets, and an unauthenticated attacker on an adjacent network can send a specially crafted packet that crashes the dcpd process. The published CVSS v3.1 vector is AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, which aligns with a medium-severity availability impact. At publication, Siemens listed no fix and recommended disabling the Profinet Discovery and Configuration Protocol (DCP) service.
- Vendor
- Siemens
- Product
- SCALANCE LPE9403 (6GK5998-3GS00-2AC2)
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-13
- Original CVE updated
- 2025-05-13
- Advisory published
- 2025-05-13
- Advisory updated
- 2025-05-13
Who should care
OT/ICS asset owners, Siemens SCALANCE LPE9403 administrators, network and plant engineers, and incident responders responsible for Profinet-enabled environments should review this advisory, especially where adjacent-network traffic can reach the device.
Technical summary
The flaw is an input-validation weakness in handling Profinet packets on Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2). According to the advisory, a remote unauthenticated attacker can send a malicious packet that causes the dcpd process to crash. The published CVSS vector indicates attack complexity is low, no privileges or user interaction are required, and the impact is limited to availability. The supplied remediation guidance is mitigation-only: disable the Profinet DCP service because no fix was available at publication.
Defensive priority
Medium; prioritize if the device is operationally important or if Profinet DCP is enabled and reachable from adjacent-network segments.
Recommended defensive actions
- Disable the Profinet Discovery and Configuration Protocol (DCP) service on affected devices, per the vendor guidance.
- Restrict adjacent-network access to SCALANCE LPE9403 devices using segmentation and access controls.
- Inventory all Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2) deployments and confirm whether Profinet DCP is in use.
- Monitor for unexpected dcpd crashes or service instability and treat them as potential security events.
- Track Siemens and CISA advisories for a future fix or updated mitigation guidance.
Evidence notes
All substantive claims in this debrief come from the supplied CISA CSAF record for ICSA-25-135-18 and its referenced Siemens advisory links. The source corpus states: affected devices do not properly validate incoming Profinet packets; an unauthenticated remote attacker can trigger a dcpd crash; the affected product is Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2); the published mitigation is to disable the Profinet DCP service; and no fix was available at publication. The supplied timeline shows publication and modification on 2025-05-13.
Official resources
-
CVE-2025-40575 CVE record
CVE.org
-
CVE-2025-40575 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA and Siemens on 2025-05-13. The supplied advisory indicates mitigation-only guidance at publication, with no vendor fix available at that time.