CVE-2025-40807 Siemens CVE debrief

Who should care

Organizations operating Siemens Gridscale X Prepay systems for utility prepayment management, particularly in critical infrastructure sectors. Security teams responsible for OT/ICS authentication and session management controls. Compliance officers tracking CVE remediation for industrial control system environments.

Technical summary

The Gridscale X Prepay application fails to properly invalidate authentication tokens when a user account is locked out. An attacker with prior network access can capture valid tokens and replay them to establish new sessions even after the legitimate user has been administratively locked out. The vulnerability is network-exploitable with low attack complexity, requiring low privileges but no user interaction. Impact is limited to confidentiality, integrity, and availability (low severity each) due to the authenticated nature of the attack.

Defensive priority

medium

Recommended defensive actions

• Contact your local Siemens representative to obtain vendor fix information for Gridscale X Prepay
• Implement network segmentation to limit exposure of authentication tokens in transit
• Review and strengthen session management controls to ensure tokens are invalidated upon account lockout
• Monitor for anomalous session establishment patterns from previously locked-out accounts
• Apply CISA ICS recommended practices for defense-in-depth in industrial control environments

Evidence notes

CISA ICS advisory ICSA-25-345-09 confirms the vulnerability description and vendor attribution. Siemens product security advisory SSA-356310 provides authoritative vendor remediation guidance. CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L sourced from CISA CSAF data.

Official resources