PatchSiren cyber security CVE debrief
CVE-2025-40939 Siemens CVE debrief
CVE-2025-40939 affects Siemens SIMATIC CN 4100 devices with an exposed USB port that accepts unauthenticated connections. According to the advisory, an attacker with physical access could trigger a reboot and cause a denial-of-service condition. The issue is rated CVSS 4.6 (Medium), and Siemens provides a fixed release: V4.0.1 or later.
- Vendor
- Siemens
- Product
- SIMATIC CN 4100
- CVSS
- MEDIUM 4.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-09
- Original CVE updated
- 2025-12-09
- Advisory published
- 2025-12-09
- Advisory updated
- 2025-12-09
Who should care
Industrial control system operators, plant engineers, site reliability teams, and asset owners responsible for Siemens SIMATIC CN 4100 deployments—especially where devices may be physically reachable by visitors, contractors, or other non-trusted personnel.
Technical summary
The vulnerability is described as a physical-access issue: the device’s USB port allows unauthenticated connections, and that interaction can be used to trigger a reboot. The supplied CVSS vector is AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a locally physical attack path with high availability impact and no indicated confidentiality or integrity impact. Siemens lists V4.0.1 or later as the remediation target.
Defensive priority
Medium. Prioritize faster in environments where the SIMATIC CN 4100 is installed in accessible locations or where unexpected reboots would materially affect operations. The issue does not indicate remote exploitation, but it can still disrupt availability if physical access is not tightly controlled.
Recommended defensive actions
- Upgrade affected Siemens SIMATIC CN 4100 devices to V4.0.1 or later.
- Restrict and monitor physical access to devices, especially USB interfaces.
- Review whether USB ports can be disabled, blocked, or otherwise controlled in your deployment.
- Incorporate the advisory into maintenance and change-management planning so upgrades are deployed consistently.
- Validate device availability and recovery procedures so a reboot does not create an operational outage.
Evidence notes
The debrief is based on the supplied CISA CSAF advisory for CVE-2025-40939 and its Siemens references. The source text states that the affected device contains a USB port allowing unauthenticated connections and that a physically present attacker could trigger a reboot causing denial of service. The remediation field lists update to V4.0.1 or later. The supplied enrichment marks this as not in CISA KEV and does not indicate ransomware campaign use.
Official resources
-
CVE-2025-40939 CVE record
CVE.org
-
CVE-2025-40939 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied advisory on 2025-12-09. The supplied timeline shows the advisory and CVE publication and modification dates are the same on that date.