CVE-2025-40583 Siemens CVE debrief

Who should care

OT and industrial control system operators using Siemens SCALANCE LPE9403, especially environments where privileged local access is shared, loosely controlled, or difficult to audit.

Technical summary

The advisory describes cleartext transmission of sensitive information on the affected device. The stated impact is limited to confidentiality: a privileged local attacker may retrieve sensitive information, while integrity and availability are not listed as impacted. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, which aligns with a local attack requiring high privileges.

Defensive priority

Medium priority. Treat as important where local administrative access is not tightly restricted, because the exposure is confidentiality-focused but requires privileged local access and no vendor fix is currently available.

Recommended defensive actions

• Restrict device access to authorized and trusted personnel only, as recommended by the advisory.
• Review and tighten privileged local access controls on systems that can reach the SCALANCE LPE9403.
• Limit physical and administrative access to the device and its management environment.
• Follow Siemens and CISA advisory updates for any future remediation or firmware guidance.
• Apply CISA industrial control systems recommended-practices guidance for defense in depth and access control.

Evidence notes

Based on the Siemens/CISA advisory for ICSA-25-135-18, the affected product is Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2). The advisory text states that affected devices transmit sensitive information in cleartext and that a privileged local attacker could retrieve it. The remediation section states that no fix is currently available and recommends restricting access to authorized and trusted personnel. Publication date used here is 2025-05-13, matching the supplied CVE and source advisory dates.

Official resources