CVE-2025-40580 Siemens CVE debrief

Who should care

Industrial control system operators, plant engineers, network administrators, and security teams responsible for Siemens SCALANCE LPE9403 devices in operational environments.

Technical summary

The CSAF advisory for CVE-2025-40580 identifies a stack-based buffer overflow in the Siemens SCALANCE LPE9403 product family. The stated impact is local attack execution by a non-privileged attacker, with possible arbitrary code execution or denial of service. The supplied CVSS vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H, which aligns with a medium severity assessment. The source advisory also records that no fix is currently available.

Defensive priority

Medium. The issue is serious because it may permit code execution or device outage, but the attack requires local access and other conditions reflected in the CVSS vector. Prioritize if the device is reachable by untrusted users or shared in a plant network.

Recommended defensive actions

• Restrict device access to authorized and trusted personnel only, as recommended in the advisory.
• Limit local access paths, shared accounts, and maintenance interfaces that could expose the device to non-privileged users.
• Review network and physical access controls around SCALANCE LPE9403 deployments.
• Monitor Siemens and CISA advisory pages for a vendor fix or updated mitigation guidance.
• Apply general ICS defense-in-depth practices from CISA resources while no patch is available.

Evidence notes

All material facts in this debrief come from the supplied CISA CSAF advisory and its referenced Siemens/CISA links. The advisory states the affected product, vulnerability type, impact, no-fix status, and mitigation. The publication date used here is the CVE/advisory publication date of 2025-05-13, not any later processing date.

Official resources