PatchSiren cyber security CVE debrief

CVE-2025-40594 Siemens CVE debrief

A privilege escalation vulnerability in Siemens SINAMICS industrial drives allows unauthorized factory reset execution and configuration manipulation due to improper privilege management and leaked session privileges. The flaw affects SINAMICS G220 V6.4, S200 V6.4, and S210 V6.4 drive systems commonly deployed in manufacturing and critical infrastructure environments. An attacker with local access can exploit missing authorization checks to trigger factory resets without proper credentials and manipulate device configuration data using residual privileges from previous sessions. The vulnerability carries a CVSS 3.1 score of 6.3 (Medium severity) with a vector of AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:L, indicating local attack vector, high attack complexity, no privileges required, user interaction needed, scope change, no confidentiality impact, high integrity impact, and low availability impact. Siemens released hotfixes in February and March 2026, with final remediation requiring updates to V6.4 HF2 or later for G220 and S210 models, and V6.4 HF7 or later for S200 models. CISA published initial guidance on September 9, 2025, with multiple republications through March 12, 2026 as fix versions became available. Organizations should prioritize patching during maintenance windows and implement network segmentation for affected drive systems pending remediation.

Vendor: Siemens
Product: SINAMICS G220 V6.4
CVSS: MEDIUM 6.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-09-09
Original CVE updated: 2026-03-12
Advisory published: 2025-09-09
Advisory updated: 2026-03-12

Who should care

Industrial control system operators, manufacturing security teams, critical infrastructure asset owners, OT security engineers, and Siemens SINAMICS drive administrators in sectors including automotive manufacturing, material handling, packaging machinery, and process industries where these drives are deployed for motion control applications.

Technical summary

The vulnerability stems from two related weaknesses in SINAMICS drive firmware: improper privilege management that permits factory reset operations without proper authorization checks, and insufficient session privilege cleanup that allows manipulation of configuration data using leaked privileges from previous sessions. The attack requires local network access to the device management interface and user interaction, with high complexity due to the need to exploit residual session state. Successful exploitation enables an unauthorized attacker to escalate privileges by resetting the device to factory defaults (potentially gaining administrative access) or modifying critical drive configuration parameters that could affect industrial process safety and reliability. The scope change (S:C) in the CVSS vector indicates the vulnerable component impacts resources beyond its security scope, reflecting potential downstream effects on connected industrial processes.

Defensive priority

medium

Recommended defensive actions

Apply vendor patches: Update SINAMICS G220 V6.4 and S210 V6.4 to V6.4 HF2 or later; update SINAMICS S200 V6.4 to V6.4 HF7 or later
Implement network segmentation to restrict access to SINAMICS drive management interfaces
Monitor for unauthorized factory reset attempts and configuration changes in device logs
Review and enforce principle of least privilege for all user accounts with drive system access
Conduct session timeout reviews to minimize window for privilege leakage exploitation

Evidence notes

Vulnerability description and affected products confirmed through CISA CSAF advisory ICSA-25-254-03. CVSS vector and remediation details sourced from Siemens ProductCERT advisory SSA-027652. Timeline of republications and fix version availability documented in CISA revision history.

Official resources

2025-09-09