Session Management Flaw in SIMATIC PCS neo Products by Siemens
CVE-2025-40566

8.7HIGH

Key Information:

Vendor: Siemens
Status: Simatic Pcs Neo V4.1; Simatic Pcs Neo V5.0
Vendor: CVE Published:; 13 May 2025

What is CVE-2025-40566?

A session management flaw has been discovered in SIMATIC PCS neo products, specifically in versions prior to V4.1 Update 3 and V5.0 Update 1. This vulnerability arises from improper invalidation of user sessions upon user logout. Consequently, an attacker with access to a legitimate session token can potentially exploit this flaw to re-establish a user's session, undermining the security of user data and access. It is crucial for users to ensure they are running the latest updates to mitigate potential risks.

Affected Version(s)

SIMATIC PCS neo V4.1 0

SIMATIC PCS neo V5.0 0

References

https://cert-portal.siemens.com/productcert/html/ssa-3390...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
May 13, 2025
Vulnerability Reserved
Apr 16, 2025