CVE-2025-40942 Siemens CVE debrief

Who should care

Organizations that deploy or administer Siemens TeleControl Server Basic, especially in industrial control system or OT environments, should prioritize this issue because successful exploitation could elevate a local attacker to privileged code execution.

Technical summary

The published advisory characterizes the flaw as a local privilege escalation with CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. That means exploitation requires local access and some privileges, but can lead to elevated code execution and broad confidentiality, integrity, and availability impact. The vendor remediation is to upgrade TeleControl Server Basic to version V3.1.2.4 or later.

Defensive priority

High. Even though exploitation is local, the combination of privilege escalation and arbitrary code execution with elevated privileges makes this a serious risk for systems where an attacker can obtain a foothold.

Recommended defensive actions

• Upgrade Siemens TeleControl Server Basic to V3.1.2.4 or later.
• Verify which hosts run TeleControl Server Basic and confirm their current version against the vendor advisory.
• Restrict local access and administrative privileges on affected systems to reduce escalation opportunity.
• Monitor affected hosts for unexpected privileged process creation or configuration changes.
• Apply standard industrial control system hardening and defense-in-depth practices referenced by CISA.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-26-015-03 for Siemens TeleControl Server Basic and the linked Siemens ProductCERT advisory SSA-192617. The source states the issue is a local privilege escalation that can allow arbitrary code execution with elevated privileges, assigns CVSS v3.1 8.8/High, and recommends updating to V3.1.2.4 or later. Timing context uses the advisory publication date of 2026-01-13 and the republication/update date of 2026-01-14 from the source record.

Official resources