CVE-2025-40736 Siemens CVE debrief

Who should care

Organizations running Siemens SINEC NMS, especially OT/industrial operations teams, platform administrators, and security teams responsible for externally reachable management interfaces or privileged account protection.

Technical summary

The advisory describes a network-reachable issue with no authentication required (CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The affected application exposes an endpoint that permits unauthorized modification of administrative credentials, enabling password reset of the superadmin account and resulting in full administrative compromise if abused.

Defensive priority

Immediate / urgent. This is a critical, remotely reachable, unauthenticated administrative takeover issue with high confidentiality, integrity, and availability impact.

Recommended defensive actions

• Update Siemens SINEC NMS to V4.0 or later as directed by Siemens.
• Restrict network exposure of SINEC NMS management interfaces to trusted administrative networks only.
• Review privileged account activity for unexpected password changes, logins, or configuration changes.
• If compromise is suspected, rotate administrative credentials and assess for unauthorized changes across the application and connected systems.
• Follow CISA and Siemens industrial control system hardening guidance for defense-in-depth and access control.

Evidence notes

The supplied CISA CSAF advisory for ICSA-25-191-01 states that the affected application exposes an endpoint allowing unauthorized modification of administrative credentials and that this could let an unauthenticated attacker reset the superadmin password and gain full control of the application. The provided CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) supports remote, no-auth, high-impact risk. The only remediation explicitly provided in the source corpus is to update to V4.0 or later.

Official resources