CVE-2025-27395 in SCALANCE LPE9403
Summary
by MITRE • 03/11/2025
A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). Affected devices do not properly limit the scope of files accessible through and the privileges of the SFTP functionality. This could allow an authenticated highly-privileged remote attacker to read and write arbitrary files.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/22/2025
The vulnerability identified in SCALANCE LPE9403 model 6GK5998-3GS00-2AC2 represents a critical access control flaw that undermines the security posture of industrial network infrastructure. This device, which serves as a crucial component in industrial automation and control systems, fails to properly enforce file system boundaries within its SFTP implementation. The issue affects all firmware versions prior to V4.0, indicating a long-standing weakness that has persisted through multiple releases without adequate remediation. The vulnerability stems from insufficient input validation and privilege separation mechanisms within the Secure File Transfer Protocol functionality, creating an attack surface that can be exploited by authenticated adversaries with elevated privileges.
The technical flaw manifests as a lack of proper file scope limitation within the SFTP service implementation, allowing authenticated users to bypass normal file access controls and manipulate system files beyond their intended permissions. This weakness enables an attacker who has already gained authentication credentials to perform arbitrary read and write operations across the device's file system. The vulnerability directly relates to CWE-22 which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal attacks. The SFTP functionality should enforce strict boundaries on file access but instead permits unauthorized file system navigation and modification.
Operational impact of this vulnerability extends beyond simple data compromise to potentially disrupt critical industrial processes. An authenticated attacker with highly-privileged access could modify system configuration files, replace firmware components, or access sensitive operational data that could lead to system instability or unauthorized control of industrial processes. The remote nature of the attack means that adversaries do not require physical access to the device, and the highly-privileged requirement suggests that this vulnerability could be exploited after initial compromise through other attack vectors. This weakness creates opportunities for attackers to escalate privileges further or establish persistent access within industrial environments where these devices typically operate with elevated system permissions.
Mitigation strategies should focus on immediate firmware upgrades to version 4.0 or later where the vulnerability has been addressed. Organizations must conduct comprehensive inventory assessments to identify all affected SCALANCE LPE9403 devices within their industrial control networks and prioritize remediation efforts. Network segmentation and access control measures should be implemented to limit the blast radius of potential exploitation, while monitoring systems should be configured to detect unusual SFTP activity patterns. The vulnerability aligns with ATT&CK technique T1078 which covers valid accounts and T1566 which covers credential harvesting, suggesting that attackers may leverage compromised credentials to exploit this weakness. Regular security assessments and vulnerability management programs should be strengthened to identify similar weaknesses in industrial network infrastructure components, particularly those implementing network services with elevated privileges.