PatchSiren cyber security CVE debrief
CVE-2025-40759 Siemens CVE debrief
CVE-2025-40759 is a high-severity vulnerability in Siemens TIA Portal ecosystem products, published 2025-08-12 and last modified 2025-12-09. The flaw stems from improper sanitization of stored security properties when parsing project files, enabling type confusion and arbitrary code execution within the affected application context. The attack vector is local, requiring user interaction to open a malicious project file. The vulnerability affects 33 Siemens products across multiple TIA Portal versions (V17-V20), including SIMATIC STEP 7, WinCC, S7-PLCSIM, and various engineering software components. Siemens has released patches for several products, with fixes available for STEP 7 and WinCC V17, V19, and V20, as well as SIMOTION SCOUT TIA V5.6 and TIA Portal Cloud V19-V20. However, SIMATIC S7-PLCSIM V17 has no fix planned, and 23 other products currently have no fix available. CISA and Siemens recommend opening projects only from trusted sources as a mitigation measure.
- Vendor
- Siemens
- Product
- SIMATIC S7-PLCSIM V17
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2025-12-09
- Advisory published
- 2025-08-12
- Advisory updated
- 2025-12-09
Who should care
Industrial control system engineers, OT security teams, manufacturing organizations using Siemens automation equipment, asset owners with TIA Portal-based engineering environments, and critical infrastructure operators relying on Siemens SIMATIC systems for process control.
Technical summary
The vulnerability exists in the project file parsing logic of Siemens TIA Portal ecosystem products. When parsing stored security properties within project files, affected applications fail to properly sanitize input data, leading to type confusion. This memory safety issue can be exploited to achieve arbitrary code execution within the context of the affected application. The attack requires local access and user interaction—specifically, opening a crafted malicious project file. The CVSS 3.1 score of 7.8 reflects high impacts to confidentiality, integrity, and availability, though the attack complexity is low and no privileges are required. The broad product scope (33 affected products) indicates this is a shared component vulnerability likely residing in core TIA Portal libraries used across the engineering software suite.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor patches for supported product versions: STEP 7 and WinCC V17 Update 9+, V19 Update 4+, V20 Update 4+; SIMOTION SCOUT TIA V5.6 SP1 HF7+; TIA Portal Cloud V5.2.1.1+ (V19) or V5.2.2.2+ (V20)
- For products without available fixes, implement strict project file source validation and open only projects from trusted sources
- Review and update asset inventories to identify affected Siemens TIA Portal installations across engineering workstations
- Implement network segmentation for engineering workstations to limit lateral movement if compromise occurs
- Monitor for anomalous process execution or unexpected behavior when opening TIA Portal project files
- Establish change control procedures for project file transfers and version management
Evidence notes
Vulnerability disclosed via CISA ICS advisory ICSA-25-226-11 on 2025-08-12. Advisory revised 2025-10-14 to add TIA Portal V20 fix, and 2025-12-09 to add TIA Portal V17 fix. CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H confirms local attack vector with user interaction required.
Official resources
-
CVE-2025-40759 CVE record
CVE.org
-
CVE-2025-40759 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12