PatchSiren cyber security CVE debrief
CVE-2025-40774 Siemens CVE debrief
CVE-2025-40774 affects Siemens SiPass integrated server applications. According to CISA and Siemens advisories, user passwords are stored in encrypted form in the database, but the decryption keys are accessible to users with administrative privileges. That design lets an administrator recover valid passwords, which can enable unauthorized account access, data exposure, and broader compromise if those credentials are reused elsewhere. CISA published the advisory on 2025-10-14 and later republished it on 2026-02-12 after Siemens ProductCERT updates.
- Vendor
- Siemens
- Product
- SiPass integrated
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-10-14
- Original CVE updated
- 2026-02-12
- Advisory published
- 2025-10-14
- Advisory updated
- 2026-02-12
Who should care
Organizations running Siemens SiPass integrated, especially teams that administer the application, manage its databases, or rely on stored credentials for access control and identity workflows. Security teams should also care because the issue can expose valid user passwords to privileged insiders or attackers who obtain administrative access.
Technical summary
The issue is a credential-protection weakness rather than a code-execution flaw. The affected server applications keep passwords encrypted in the database, but the keys needed to decrypt them are available to administrative users. With admin-level access, an attacker can recover user passwords and use them as valid credentials. The advisory lists CVSS 3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, reflecting that exploitation requires high privileges and primarily impacts confidentiality.
Defensive priority
Medium. The exploitability is limited by the need for administrative privileges, but the consequence is serious because recovered passwords can be reused for unauthorized access and downstream compromise.
Recommended defensive actions
- Update Siemens SiPass integrated to V3.0 or later, as directed in the vendor remediation.
- Restrict administrative access to authorized and trusted personnel only.
- Review whether any administrative accounts or database operators should have access to password decryption material.
- Audit privileged access paths and remove unnecessary admin permissions.
- Consider credential rotation for accounts whose passwords may have been exposed or recoverable.
- Use CISA's industrial control systems recommended practices to reinforce least-privilege and defense-in-depth controls.
Evidence notes
The source advisory states that affected server applications store user passwords encrypted in their databases and that decryption keys are accessible to users with administrative privileges, enabling password recovery. The CISA CSAF source item identifies Siemens SiPass integrated as the affected product and lists a vendor fix to V3.0 or later. The advisory was first published on 2025-10-14 and later republished on 2026-02-12 based on Siemens ProductCERT SSA-599451.
Official resources
-
CVE-2025-40774 CVE record
CVE.org
-
CVE-2025-40774 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2025-10-14 in ICSA-25-289-06, with a later CISA republication on 2026-02-12 tied to Siemens ProductCERT SSA-599451 updates.