PatchSiren cyber security CVE debrief
CVE-2025-40943 Siemens CVE debrief
CVE-2025-40943 is a critical trace-file sanitization issue affecting multiple Siemens SIMATIC controller families. CISA’s advisory says an attacker can socially engineer an authorized user with the "Read diagnostics" right to import a specially crafted trace file, which may execute code in the client browser session and trigger PLC operations the user is already permitted to perform.
- Vendor
- Siemens
- Product
- SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0)
- CVSS
- CRITICAL 9.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-05-14
Who should care
OT and ICS defenders responsible for Siemens SIMATIC Drive Controller, ET 200SP, Open Controller, and S7-1500 deployments should treat this as urgent, especially where the webserver is enabled or where users hold the "Read diagnostics" function right. Organizations with exposed HTTP/HTTPS management interfaces or broad operator permissions should prioritize review first.
Technical summary
The flaw is caused by insufficient sanitization of trace file contents. According to the advisory, exploitation depends on social engineering a legitimate user who can read diagnostics and import a malicious trace file. Impact can include code execution in the client’s browser session and unauthorized PLC operations through the webserver using the victim’s existing privileges. The advisory maps the issue to CWE-95 and reports a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.
Defensive priority
Urgent. The combination of remote reachability, user interaction, and potential PLC impact justifies immediate mitigation planning and firmware review, particularly for systems exposing the webserver.
Recommended defensive actions
- Apply Siemens firmware updates where available: V3.1.6 or later, V2.9.9 or later, or V4.1.2 or later depending on the affected product line.
- Disable the webserver if it is not required on affected systems.
- Restrict access to TCP ports 80 and 443 to trusted IP addresses only.
- Only upload trace files that are trusted and verified by your operational process.
- Review and limit which users have the "Read diagnostics" right.
- For affected product lines with no fix available in the advisory, rely on the documented mitigations and compensation controls.
- Validate that the advisory revision applicable to your product matches the latest CISA/Siemens republication before maintenance planning.
Evidence notes
Primary evidence comes from the CISA CSAF republication of Siemens ProductCERT advisory SSA-452276 (ICSA-26-071-04), published 2026-03-10 and updated through 2026-05-14. The revision history shows later corrections to affected product coverage and fix versions, including updates on 2026-05-12 and 2026-05-14. The supplied corpus states that some product groups have vendor fixes while others list "Currently no fix is available."
Official resources
-
CVE-2025-40943 CVE record
CVE.org
-
CVE-2025-40943 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-03-10 as ICSA-26-071-04, republished from Siemens ProductCERT advisory SSA-452276, with subsequent updates through 2026-05-14.