PatchSiren cyber security CVE debrief
CVE-2025-40773 Siemens CVE debrief
CVE-2025-40773 affects Siemens SiPass integrated server applications and stems from insufficient server-side authorization checks. In the supplied advisory material, successful abuse could allow an attacker to execute specific API requests and manipulate data belonging to other users. The issue was published by CISA on 2025-10-14 and later republished on 2026-02-12 based on Siemens ProductCERT SSA-599451; the CVE publication date remains the correct timing reference.
- Vendor
- Siemens
- Product
- SiPass integrated
- CVSS
- LOW 3.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-10-14
- Original CVE updated
- 2026-02-12
- Advisory published
- 2025-10-14
- Advisory updated
- 2026-02-12
Who should care
Siemens SiPass integrated administrators, OT/security teams, and anyone operating the product in shared or reachable server environments should review access controls and update plans. This is most relevant where authenticated users or adjacent-network actors can reach the application.
Technical summary
The advisory describes a broken access control condition in affected server applications. Authorization checks on the server side are insufficient, allowing an attacker with the ability to reach specific APIs to perform actions that should be restricted, including manipulation of other users’ data. The supplied CVSS vector is CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, which aligns with limited integrity impact and no confidentiality or availability impact in the scoring.
Defensive priority
Medium for exposed or shared deployments; lower for tightly isolated environments. The CVSS score is low, but the flaw can still permit unauthorized data changes, so it merits prompt review of access boundaries and patch planning.
Recommended defensive actions
- Update Siemens SiPass integrated to V3.0 or later, per the vendor remediation guidance.
- Restrict access to authorized and trusted personnel only, especially for any server/API entry points.
- Audit server-side authorization for every affected API path and verify that object-level access checks are enforced on the server.
- Review exposure of the product in shared or adjacent-network segments and reduce reachability where possible.
- Use the official Siemens and CISA advisory links to confirm affected versions and remediation scope before making changes.
Evidence notes
Primary facts come from the CISA CSAF advisory ICSA-25-289-06 for Siemens SiPass integrated, with initial publication on 2025-10-14 and CISA republication on 2026-02-12. The advisory text states that affected server applications contain broken access control due to insufficient server-side authorization checks, enabling specific API requests and potential manipulation of other users’ data. Remediation guidance in the supplied source set includes restricting access to authorized/trusted personnel and updating to V3.0 or later.
Official resources
-
CVE-2025-40773 CVE record
CVE.org
-
CVE-2025-40773 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2025-10-14 as ICSA-25-289-06; later republished on 2026-02-12 after Siemens ProductCERT SSA-599451 updates. This debrief uses the CVE publication date, not the later republication date, for issue timing.