Full Report
SIMOTION SCOUT, SIMOTION SCOUT TIA and SINAMICS STARTER are affected by an XXE injection vulnerability that could allow an attacker to access arbitrary application files. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: XML External Entity (XXE) Injection in Siemens Engineering Tools
## CVE Details
- CVE ID: CVE-2025-40584
- CVSS Score: 5.5 (CVSS v3.1) / 6.8 (CVSS v4.0) (Medium/Medium per v3.1/v4.0 respectively)
- CWE: CWE-611: Improper Restriction of XML External Entity Reference
## Affected Systems
- Products: SIMOTION SCOUT, SIMOTION SCOUT TIA, SINAMICS STARTER, Totally Integrated Automation Portal (TIA Portal) component SIMOTION SCOUT TIA.
- Versions:
- **SIMOTION SCOUT V5.4**: All versions affected. (No fix planned)
- **SIMOTION SCOUT V5.5**: All versions affected. (No fix planned)
- **SIMOTION SCOUT V5.6**: Versions prior to V5.6 SP1 HF7.
- **SIMOTION SCOUT V5.7**: Versions prior to V5.7 SP1 HF1.
- **SINAMICS STARTER V5.5**: All versions affected. (No fix planned)
- **SINAMICS STARTER V5.6**: All versions affected. (No fix planned)
- **SINAMICS STARTER V5.7**: Versions prior to V5.7 HF2.
- **SIMOTION SCOUT TIA V5.4 (within TIA Portal)**: All versions affected. (No fix available)
- **SIMOTION SCOUT TIA V5.5 (within TIA Portal)**: Not explicitly detailed, but implied affected if not patched.
- Configurations: Vulnerability relates to the parsing of specially crafted XML files within these applications.
## Vulnerability Description
The affected applications suffer from an XML External Entity Injection (XXE) vulnerability during the parsing of XML files. A remote attacker who can place or submit a crafted XML file to the application could exploit this flaw to read arbitrary files accessible by the application on the underlying system.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC documentation implies capability.
- Complexity: Low (CVSS v3.1 Attack Complexity: Low (AC:L))
- Attack Vector: Local (AV:L) according to the CVSS vector provided, suggesting the attacker must have some level of local access or ability to interact directly with a file-handling component of the application.
## Impact
- Confidentiality: High (C:H) - Potential access to arbitrary application files.
- Integrity: No Impact (I:N)
- Availability: No Impact (A:N)
## Remediation
### Patches
Siemens has released patches for several versions; users must update to the versions specified or later:
- **SIMOTION SCOUT V5.6**: Update to **V5.6 SP1 HF7** or later.
- **SIMOTION SCOUT V5.7**: Update to **V5.7 SP1 HF1** or later.
- **SINAMICS STARTER V5.7**: Update to **V5.7 HF2** or later.
*Note: For SIMOTION SCOUT V5.4, V5.5, SINAMICS STARTER V5.5, V5.6, and SIMOTION SCOUT TIA V5.4, Siemens currently has no fix planned.*
### Workarounds
For products where fixes are not available or not yet implemented:
1. **Restrict Network Access:** Siemens strongly recommends protecting network access to the affected devices using appropriate security mechanisms.
2. **Refer to Guidelines:** Configure the operational environment according to Siemens' operational guidelines for Industrial Security.
## Detection
- Detection methods are not explicitly detailed in the summary provided, but general XXE detection principles apply: monitoring for internal file system requests initiated by XML parsers or unusual data egress following file processing events.
## References
- Siemens Security Advisory: SSA-186293
- Siemens Industrial Security Center: hXXps://www.siemens.com/industrialsecurity
- Operational Guidelines: hXXps://www.siemens.com/cert/operational-guidelines-industrial-security