CVE-2025-40742 in SIPROTEC 5 6MD84
Summary
by MITRE • 07/08/2025
A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions), SIPROTEC 5 6MD86 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) V9.6 (All versions), SIPROTEC 5 6MU85 (CP300) (All versions), SIPROTEC 5 7KE85 (CP300) (All versions), SIPROTEC 5 7SA82 (CP100) (All versions), SIPROTEC 5 7SA82 (CP150) (All versions), SIPROTEC 5 7SA86 (CP300) (All versions), SIPROTEC 5 7SA87 (CP300) (All versions), SIPROTEC 5 7SD82 (CP100) (All versions), SIPROTEC 5 7SD82 (CP150) (All versions), SIPROTEC 5 7SD86 (CP300) (All versions), SIPROTEC 5 7SD87 (CP300) (All versions), SIPROTEC 5 7SJ81 (CP100) (All versions), SIPROTEC 5 7SJ81 (CP150) (All versions), SIPROTEC 5 7SJ82 (CP100) (All versions), SIPROTEC 5 7SJ82 (CP150) (All versions), SIPROTEC 5 7SJ85 (CP300) (All versions), SIPROTEC 5 7SJ86 (CP300) (All versions), SIPROTEC 5 7SK82 (CP100) (All versions), SIPROTEC 5 7SK82 (CP150) (All versions), SIPROTEC 5 7SK85 (CP300) (All versions), SIPROTEC 5 7SL82 (CP100) (All versions), SIPROTEC 5 7SL82 (CP150) (All versions), SIPROTEC 5 7SL86 (CP300) (All versions), SIPROTEC 5 7SL87 (CP300) (All versions), SIPROTEC 5 7SS85 (CP300) (All versions), SIPROTEC 5 7ST85 (CP300) (All versions), SIPROTEC 5 7ST86 (CP300) (All versions), SIPROTEC 5 7SX82 (CP150) (All versions), SIPROTEC 5 7SX85 (CP300) (All versions), SIPROTEC 5 7SY82 (CP150) (All versions), SIPROTEC 5 7UM85 (CP300) (All versions), SIPROTEC 5 7UT82 (CP100) (All versions), SIPROTEC 5 7UT82 (CP150) (All versions), SIPROTEC 5 7UT85 (CP300) (All versions), SIPROTEC 5 7UT86 (CP300) (All versions), SIPROTEC 5 7UT87 (CP300) (All versions), SIPROTEC 5 7VE85 (CP300) (All versions), SIPROTEC 5 7VK87 (CP300) (All versions), SIPROTEC 5 7VU85 (CP300) (All versions), SIPROTEC 5 Compact 7SX800 (CP050) (All versions). The affected devices include session identifiers in URL requests for certain functionalities. This could allow an attacker to retrieve sensitive session data from browser history, logs, or other storage mechanisms, potentially leading to unauthorized access.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2025
The vulnerability identified as CVE-2025-40742 affects a broad range of Siemens SIPROTEC 5 series protective relays and control systems, specifically those operating on CP300, CP100, CP150, and CP050 platforms. These devices are commonly deployed in industrial environments for power system protection and control, making them critical components in electrical infrastructure. The flaw manifests in how these systems handle session identifiers within URL requests, creating a potential exposure point that could be exploited by malicious actors to access sensitive session data. This vulnerability is particularly concerning given the industrial control system context where such devices often operate with minimal network segmentation and may lack robust security monitoring capabilities. The affected product lines span multiple models including 6MD84, 6MD85, 6MD86, 6MD89, 6MU85, 7KE85, 7SA82, 7SA86, 7SA87, 7SD82, 7SD86, 7SD87, 7SJ81, 7SJ82, 7SJ85, 7SJ86, 7SK82, 7SK85, 7SL82, 7SL86, 7SL87, 7SS85, 7ST85, 7ST86, 7SX82, 7SX85, 7SY82, 7UM85, 7UT82, 7UT85, 7UT86, 7UT87, 7VE85, 7VK87, 7VU85, and 7SX800 models across various firmware versions.
The technical nature of this vulnerability stems from the improper handling of session identifiers within URL parameters, which violates established security principles for session management and access control. According to CWE-200, this represents a weakness where information is disclosed to unauthorized actors, specifically through exposure of session tokens in URLs. The flaw allows attackers to potentially retrieve session data from browser history, server logs, or other storage mechanisms that might capture URL requests containing session identifiers. This type of information disclosure can be categorized under the ATT&CK framework as T1566.001 - Phishing, where the session data could be harvested through various means including man-in-the-middle attacks, server misconfigurations, or even social engineering tactics that exploit the predictable nature of session identifiers embedded in URLs. The vulnerability essentially creates a vector for session hijacking attacks where an attacker could reconstruct valid sessions and gain unauthorized access to the protected systems.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can lead to complete system compromise within industrial environments. In critical infrastructure settings where SIPROTEC 5 devices are deployed, unauthorized access could result in disruption of power system operations, manipulation of protective relays, or potential safety hazards. The exposure of session data could enable attackers to perform administrative functions, modify system configurations, or even cause cascading failures in power distribution networks. This risk is exacerbated by the fact that these devices often operate in environments with limited network monitoring and may not implement proper session management controls. The vulnerability affects devices across multiple generations and firmware versions, indicating a systemic design flaw rather than a localized issue, which increases the potential attack surface significantly. Organizations relying on these systems must consider the possibility of persistent access being maintained through compromised sessions, potentially allowing for extended periods of unauthorized access without detection.
Mitigation strategies for CVE-2025-40742 should prioritize immediate firmware updates from Siemens to address the session identifier handling issue, while also implementing network segmentation and access controls to limit exposure. Security measures should include monitoring for unusual URL patterns in network traffic, implementing proper session management protocols that do not expose identifiers in URLs, and establishing robust logging and alerting mechanisms to detect potential exploitation attempts. Organizations should conduct comprehensive vulnerability assessments of their industrial control systems to identify all affected devices and ensure proper patch management procedures are in place. Network administrators should also consider implementing web application firewalls and URL filtering mechanisms to prevent session identifiers from being exposed in transmitted data. Additionally, personnel should be trained on recognizing potential phishing attempts that might exploit this vulnerability, and organizations should establish incident response procedures specifically for industrial control system security events. The remediation process must account for the operational continuity requirements of industrial environments, ensuring that updates are carefully planned and tested to avoid unintended disruptions to critical power system operations.