PatchSiren cyber security CVE debrief
CVE-2025-40830 Siemens CVE debrief
CVE-2025-40830 affects Siemens SINEC Security Monitor and stems from missing authorization checks in the ssmctl-client file_transfer feature. According to the advisory text, an authenticated local attacker could read or write arbitrary files on the server or sensor. Siemens recommends updating to V4.10.0 or later.
- Vendor
- Siemens
- Product
- SINEC Security Monitor
- CVSS
- MEDIUM 6.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-09
- Original CVE updated
- 2026-01-14
- Advisory published
- 2025-12-09
- Advisory updated
- 2026-01-14
Who should care
Siemens SINEC Security Monitor administrators, OT/ICS operators, and teams responsible for servers or sensors that expose ssmctl-client functionality or allow local authenticated access.
Technical summary
The source advisory describes improper authorization checks in the file_transfer feature of the ssmctl-client command. Impact is arbitrary file read/write on the server or sensor. The provided CVSS vector is CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while the narrative description characterizes the attacker as authenticated and low-privileged locally; both should be treated as source details, not reconciled assumptions.
Defensive priority
Medium, but treat as time-sensitive on any exposed or production SINEC Security Monitor deployment because file read/write access can affect confidentiality, integrity, and availability.
Recommended defensive actions
- Upgrade Siemens SINEC Security Monitor to V4.10.0 or later as recommended by the vendor.
- Inventory affected server and sensor deployments and confirm which systems use the ssmctl-client file_transfer feature.
- Review local accounts and privilege boundaries on affected hosts; limit access to only trusted administrators.
- Monitor for unexpected file changes or access on servers and sensors, especially where sensitive configurations or data are stored.
- After patching, validate backups, configuration integrity, and operational behavior on the affected systems.
Evidence notes
Source item: CISA CSAF advisory ICSA-26-015-06 republished Siemens ProductCERT advisory SSA-882673, with initial publication on 2025-12-09 and republication on 2026-01-14. The advisory text states that the application lacks proper authorization checks for the file_transfer feature in ssmctl-client and that this could allow an authenticated, lowly privileged local attacker to read or write any file on the server or sensor. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, which differs from the prose description on privilege level and should be interpreted carefully.
Official resources
-
CVE-2025-40830 CVE record
CVE.org
-
CVE-2025-40830 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published by CISA on 2025-12-09 and republished on 2026-01-14 based on Siemens ProductCERT SSA-882673. The supplied enrichment marks this CVE as not listed in CISA KEV.