Full Report
Siemens License Server before V4.3 contains various vulnerabilities that could allow a low-privileged local user to escalate privileges or perform arbitrary code execution. Siemens has released a new version for Siemens License Server (SLS) and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Privilege Escalation in Siemens License Server (SLS)
## CVE Details
- **CVE ID:** CVE-2025-29999, CVE-2025-30000
- **CVSS Score:** 6.7 (Medium) - CVSS v3.1 / 5.4 (Medium) - CVSS v4.0
- **CWE:**
- CWE-269: Improper Privilege Management (CVE-2025-29999)
- CWE-295: Improper Certificate Validation (CVE-2025-30000)
## Affected Systems
- **Products:** Siemens License Server (SLS)
- **Versions:** All versions prior to V4.3
- **Configurations:** Systems utilizing SLS to support Siemens Advanced Licensing Technology (SALT), commonly used with EDA and PLM products.
## Vulnerability Description
Siemens License Server (SLS) is susceptible to two primary flaws that facilitate privilege escalation:
1. **Unvalidated Executable Paths (CVE-2025-29999):** The application searches for executable files within its application folder without proper path validation. A local attacker can place a malicious executable in that directory, leading the service to execute it with administrative privileges.
2. **Improper Permission Management (CVE-2025-30000):** The application fails to properly restrict user permissions or validate certificates (per CWE-295 mapping), which could allow a low-privileged local user to escalate their current privilege level.
## Exploitation
- **Status:** Not exploited (No known public PoC at time of reporting)
- **Complexity:** High (Requires specific local placement of files or exploitation of privilege management timing)
- **Attack Vector:** Local
## Impact
- **Confidentiality:** High (Full access to system data if privileges are escalated)
- **Integrity:** High (Ability to modify system files and application logic)
- **Availability:** High (Potential for service disruption or system-wide lockout)
## Remediation
### Patches
- **Update to SLS V4.3 or later:** This version addresses both vulnerabilities. The update can be acquired via the Siemens Support Center: hxxps[://]support[.]sw[.]siemens[.]com/product/1586485382/
### Workarounds
- **Strict Directory Permissions:** Restrict write access to the Siemens License Server application folder to administrative accounts only to prevent the placement of malicious executables.
- **Endpoint Least Privilege:** Ensure users login with the minimum privileges necessary to reduce the risk of local escalation.
- **General Hardening:** Follow Siemens' operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise:** Presence of unknown/unauthorized executable files in the SLS application directory.
- **Detection Methods:**
- Monitor for unexpected child processes spawned by the Siemens License Server (saltd or lmgrd).
- Audit file system integrity for the SLS installation path.
- Review system logs for unauthorized privilege changes or credential elevations tied to the SLS service account.
## References
- **Siemens Security Advisory:** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-525431[.]pdf
- **Siemens Industrial Security Home:** hxxps[://]www[.]siemens[.]com/industrialsecurity
- **Contact:** hxxps[://]www[.]siemens[.]com/cert/advisories