Severity
Medium
Analysis Summary
CVE-2025-40804 CVSS:9.1
Siemens SIMATIC Virtualization could allow a remote attacker to bypass security restrictions, caused by exposing a network share without authentication. By sending a specially crafted request, an attacker could exploit this vulnerability to access or alter sensitive data without proper authorization.
CVE-2025-40803 CVSS:3.1
Siemens RUGGEDCOM RST2428P could allow a remote attacker to obtain sensitive information, caused by exposing certain non-critical information from the device.
CVE-2025-40802 CVSS:3.1
Siemens RUGGEDCOM RST2428P is vulnerable to a denial of service, caused by a resource exhaustion vulnerability. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2025-40798 CVSS:7.5
Siemens SIMATIC PCS neo and UMC is vulnerable to a denial of service, caused by an out-of-bounds read vulnerability in the integrated UMC component. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2025-40757 CVSS:5.3
Siemens APOGEE PXC could allow a remote attacker to obtain sensitive information, caused by unrestricted access to sensitive files, such as an encrypted .db file containing passwords.
Impact
- Denial of Service
- Security Bypass
- Information Disclosure
Indicators of Compromise
CVE
CVE-2025-40804
CVE-2025-40803
CVE-2025-40802
CVE-2025-40798
CVE-2025-40757
Affected Vendors
Affected Products
- Siemens SIMATIC PCS neo V4.1
- Siemens SIMATIC PCS neo V5.0
- Siemens RUGGEDCOM RST2428P
- Siemens SIMATIC Virtualization as a Service (SIVaaS)
- Siemens User Management Component (UMC) 2.15.1.2
- Siemens APOGEE PXC Series (BACnet)
- Siemens APOGEE PXC Series (P2 Ethernet)
- Siemens TALON TC Series (BACnet)
Remediation
Refer to Siemens Security Advisory for patch, upgrade or suggested workaround information.