PatchSiren cyber security CVE debrief
CVE-2025-40585 Siemens CVE debrief
CVE-2025-40585 is a critical Siemens Energy Services issue affecting solutions using G5DFR. According to the CISA CSAF advisory, default credentials are present in affected solutions, which could allow an attacker to gain control of the G5DFR component and tamper with outputs from the device. Siemens’ remediation directs administrators to change the default usernames, passwords, and permission levels through the G5DFR web interface and to contact customer support for help.
- Vendor
- Siemens
- Product
- Energy Services
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2025-06-10
- Advisory published
- 2025-06-10
- Advisory updated
- 2025-06-10
Who should care
OT/ICS operators, engineers, and administrators responsible for Siemens Energy Services deployments that use the G5DFR component, especially any environment where the device interface may still use factory-default credentials or weak access controls.
Technical summary
The advisory describes a credential-security weakness rather than a software flaw in code logic: affected solutions using G5DFR contain default credentials. With network access and no user interaction required, an attacker could gain control of the component and alter device outputs. The supplied CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L) reflects network reachability, low attack complexity, no privileges, and high integrity impact.
Defensive priority
Immediate. The published severity is critical (CVSS 9.9), and the issue directly affects control integrity in an industrial context. Prioritize credential replacement and access review before normal maintenance work.
Recommended defensive actions
- Use the G5DFR web interface to change all default usernames, passwords, and permission levels as directed by Siemens.
- Verify that no affected G5DFR instance remains reachable with factory-default credentials.
- Restrict network access to the G5DFR management interface to only authorized administrative hosts.
- Review device outputs and configuration history for signs of unauthorized tampering.
- Contact Siemens customer support if you need assistance applying the remediation or confirming affected product scope.
- Apply ICS defense-in-depth and recommended-practices guidance from CISA for layered protection of industrial systems.
Evidence notes
All substantive claims come from the supplied CISA CSAF source item and its referenced Siemens advisory. The source states: 'Affected solutions using G5DFR contain default credentials. This could allow an attacker to gain control of G5DFR component and tamper with outputs from the device.' The remediation in the same source says to change default usernames, passwords, and permission levels via the G5DFR web interface and contact customer support for assistance. Published and modified dates are both 2025-06-10 in the provided corpus.
Official resources
-
CVE-2025-40585 CVE record
CVE.org
-
CVE-2025-40585 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published by CISA and Siemens on 2025-06-10; the supplied record shows no later modification date in the source corpus.