CVE-2025-40746
BaseFortify
Publication date: 2025-08-12
Last updated on: 2025-08-20
Assigner: Siemens AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| siemens | simatic_rtls_locating_manager | to 3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in SIMATIC RTLS Locating Manager versions prior to 3.2 due to improper input validation in a backup script. An authenticated remote attacker with high privileges in the application can exploit this flaw to execute arbitrary code with 'NT Authority/SYSTEM' privileges, effectively gaining full control over the affected system. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with high privileges to execute arbitrary code with system-level privileges ('NT Authority/SYSTEM'), which can lead to full control over the affected system. This can result in unauthorized actions, data compromise, disruption of services, or further attacks within the network. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, Siemens recommends updating all affected versions of SIMATIC RTLS Locating Manager to version 3.2 or later. Additionally, follow Siemens' general security recommendations such as protecting network access to devices with appropriate security mechanisms and configuring the operational environment according to Siemens' Industrial Security operational guidelines. [1]