CVE-2025-40584
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-12

Last updated on: 2025-10-14

Assigner: Siemens AG

Description
A vulnerability has been identified in SIMOTION SCOUT TIA V5.4 (All versions), SIMOTION SCOUT TIA V5.5 (All versions), SIMOTION SCOUT TIA V5.6 (All versions < V5.6 SP1 HF7), SIMOTION SCOUT TIA V5.7 (All versions < V5.7 SP1 HF1), SIMOTION SCOUT V5.4 (All versions), SIMOTION SCOUT V5.5 (All versions), SIMOTION SCOUT V5.6 (All versions < V5.6 SP1 HF7), SIMOTION SCOUT V5.7 (All versions < V5.7 SP1 HF1), SINAMICS STARTER V5.5 (All versions), SINAMICS STARTER V5.6 (All versions), SINAMICS STARTER V5.7 (All versions < V5.7 HF2). The affected application contains a XML External Entity Injection (XXE) vulnerability while parsing specially crafted XML files. This could allow an attacker to read arbitrary files in the system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-12
Last Modified
2025-10-14
Generated
2026-05-07
AI Q&A
2025-08-12
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40584
EUVD
EUVD-2025-24246
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
siemens sinamics_starter 5.7
siemens sinamics_starter 5.6
siemens simotion_scout_tia 5.5
siemens simotion_scout_tia 5.6
siemens simotion_scout 5.4
siemens simotion_scout_tia 5.7
siemens simotion_scout 5.6
siemens simotion_scout 5.5
siemens sinamics_starter 5.5
siemens simotion_scout_tia 5.4
siemens simotion_scout 5.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an XML External Entity (XXE) Injection found in certain Siemens products (SIMOTION SCOUT, SIMOTION SCOUT TIA, and SINAMICS STARTER). It occurs when the affected applications improperly handle specially crafted XML files, allowing an attacker to exploit this flaw to read arbitrary files on the system without authorization. [1]


How can this vulnerability impact me? :

The vulnerability can allow an attacker to read arbitrary files on the affected system, potentially exposing sensitive information stored on the device. This unauthorized file access could lead to information disclosure and compromise the confidentiality of data within the affected environment. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding opening untrusted XML files in the affected applications, updating affected products to the latest fixed versions where available (e.g., SIMOTION SCOUT V5.6 SP1 HF7 or later, V5.7 SP1 HF1 or later), and applying recommended workarounds for products without available fixes. Additionally, protect network access to devices and configure environments according to Siemens' operational guidelines for Industrial Security. Consult Siemens' general security recommendations and product manuals for further protective measures. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart