Siemens has issued a security advisory warning of multiple vulnerabilities in SiPass integrated access control systems. The vulnerabilities could allow attackers to execute commands on the devices with root privileges and access sensitive data.
The affected products are SiPass integrated AC5102 (ACC-G2) and ACC-AP. Siemens has released new versions for the affected products and recommends that customers update to the latest versions.
The vulnerabilities have been assigned the following CVSS v3.1 base scores:
- CVE-2024-52285: 5.3
- CVE-2025-27493: 8.2
- CVE-2025-27494: 9.1
The most serious vulnerability, CVE-2025-27494, could allow an authenticated remote attacker to escalate privileges by injecting arbitrary commands that are executed with root privileges.
Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:
- CVE-2025-27493, CVE-2025-27494: Set an individual strong password for the administrator account (“SIEMENS”)
As a general security measure, Siemens strongly recommends protecting network access to affected products with appropriate mechanisms. It is also advised to follow recommended security practices in order to run the devices in a protected IT environment.
Customers are urged to update their SiPass integrated access control systems to the latest versions as soon as possible.
Related Posts:
- Siemens SIMATIC PLC exists DoS flaw
- Siemens Issues Critical Security Advisory for User Management Component (UMC) – CVE-2024-33698
- CVE-2024-44102 (CVSS 10) Found in Siemens TeleControl Server Basic: Urgent Update Required
- CVE-2024-49775 (CVSS 9.8): Critical Vulnerability in Siemens UMC Exposes Systems to Remote Exploitation
