CVE-2025-40804: Critical Flaw in Siemens SIVaaS Exposes Network Share Without Authentication

Siemens has disclosed a critical security vulnerability (CVE-2025-40804) in its SIMATIC Virtualization as a Service (SIVaaS) platform. The flaw, rated CVSS 9.1, exposes a network share without authentication, potentially allowing attackers to access or alter sensitive data.

According to Siemens, “SIMATIC Virtualization as a Service (SIVaaS) is affected by a vulnerability which exposes a network share without any authentication. This could allow an attacker to access or alter sensitive data without proper authorization.”

The vulnerability, tracked as CVE-2025-40804, is classified under CWE-732: Incorrect Permission Assignment for Critical Resource. With a network attack vector and no privileges or user interaction required, the flaw could be exploited remotely by an unauthenticated attacker.

The advisory confirms: “SIMATIC Virtualization as a Service (SIVaaS) — all versions affected by CVE-2025-40804.”

Additionally, Siemens lists specific affected MLFBs, including:

• 9LA1110-6SV40-5DA3
• 9LA1110-6SV40-5FA3
• 9LA1110-6SV40-5FB3
• 9LA1110-6SV40-5FC3
• 9LA1110-6SV40-5JA2
• 9LA1110-6SV40-5XA2
• 9LA1110-6SV40-5XA3

SIVaaS is widely used for centralized virtualization of automation systems, enabling OT/IT integration and standardized monitoring across industrial environments. A vulnerability in this layer could expose critical industrial data or allow adversaries to tamper with automation configurations.

Given its CVSS v3.1 score of 9.1 and CVSS v4.0 score of 9.3, Siemens has classified this as a critical security issue.

Siemens urges affected customers to take immediate action. The advisory states: “Siemens recommends to contact technical support to fix the vulnerability.”

In addition, Siemens emphasizes its general industrial security guidelines:

• Protect network access to devices with appropriate mechanisms.
• Operate devices within a protected IT environment.
• Follow Siemens’ operational guidelines for industrial security.

Related Posts:

• CVE-2025-7972: Rockwell Automation Patches Critical Security Bypass in FactoryTalk Linx
• VMware Sues Siemens: Unlicensed Software Use Alleged
• Siemens Industrial Edge: Critical Authentication Flaw (CVE-2024-54092)
• Siemens Fixes 66 SQL Injection Flaws in TeleControl Server Basic
• Unauthenticated Attack: Siemens SiPass Vulnerability Risks DoS