Siemens SINEC Security Monitor Vulnerabilities Advisory (CVE-2025-40830/31)

Critical Vulnerability Information Vulnerability Overview Vulnerability ID: SSA-882673 Description: Multiple vulnerabilities exist in SINEC Security Monitor versions prior to V4.10.0. Release Date: 2025-12-09 Current Version: V1.0 CVSS Score: - v3.1: 6.7 - v4.0: 8.4 Affected Products and Remediation Affected Products and Versions: SINEC Security Monitor (all versions < V4.10.0) Remediation: Upgrade to V4.10.0 or later. Link Vulnerability Details Vulnerability CVE-2025-40830 Description: The application lacks proper authorization checks in the file transfer functionality of the smmctl-client command, allowing a low-privileged local attacker to read and write any file on the server or sensor. CVSS Score: - v3.1: 6.7 - v4.0: 8.4 CWE: CWE-285: Improper Authorization Vulnerability CVE-2025-40831 Description: The report generation feature lacks input validation for date parameters, enabling a low-privileged attacker to cause a denial-of-service condition in the reporting functionality. CVSS Score: - v3.1: 6.5 - v4.0: 7.1 CWE: CWE-20: Improper Input Validation Additional Information General Security Recommendations: Follow Siemens’ Industrial Security Operational Guidelines (link) and recommendations in product manuals. Contact Support: For more information on security vulnerabilities related to Siemens products and solutions, contact Siemens ProductCERT (link).

Goal Reached Thanks to every supporter — we hit 100%!

Siemens SINEC Security Monitor Vulnerabilities Advisory (CVE-2025-40830/31)