CVE-2025-40566 is a high-severity vulnerability affecting Siemens SIMATIC PCS neo versions prior to V4.1 Update 3 and V5.0 Update 1. The core issue is insufficient session expiration, categorized under CWE-613. Specifically, the affected versions do not properly invalidate user sessions upon logout. This flaw allows a remote unauthenticated attacker, who has obtained a valid session token through other means (e.g., session token theft, network interception, or other attack vectors), to reuse that session token even after the legitimate user has logged out. The vulnerability impacts confidentiality, integrity, and availability since an attacker can impersonate a legitimate user, potentially gaining unauthorized access to critical industrial control system (ICS) functions managed by SIMATIC PCS neo. The CVSS 3.1 base score of 8.8 reflects the ease of exploitation (network attack vector, no privileges required, low attack complexity), the requirement for user interaction (e.g., the victim must log out), and the high impact on confidentiality, integrity, and availability. Siemens SIMATIC PCS neo is a process control system widely used in industrial automation environments, including manufacturing, energy, and critical infrastructure sectors. The vulnerability could allow attackers to maintain persistent unauthorized access, manipulate process parameters, disrupt operations, or exfiltrate sensitive operational data. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a significant risk, especially in environments where session tokens might be exposed or intercepted. The lack of proper session invalidation after logout is a fundamental security flaw that undermines session management best practices and can facilitate lateral movement or privilege escalation within industrial networks.

For European organizations, particularly those operating in critical infrastructure sectors such as energy, manufacturing, chemical processing, and utilities, this vulnerability poses a substantial risk. Siemens SIMATIC PCS neo is a widely deployed ICS platform in Europe, and unauthorized reuse of session tokens could lead to unauthorized control over industrial processes, causing operational disruptions, safety incidents, or data breaches. The potential impact includes loss of process integrity, unauthorized command execution, and operational downtime, which could have cascading effects on supply chains and public safety. Additionally, the ability to reuse sessions post-logout increases the risk of persistent unauthorized access, complicating incident detection and response. Given the strategic importance of industrial automation in European economies and the increasing targeting of ICS environments by threat actors, this vulnerability could be leveraged in targeted attacks against European critical infrastructure. The high CVSS score underscores the severity and the need for urgent remediation to prevent exploitation that could lead to significant economic and safety consequences.

1. Immediate application of Siemens-provided updates: Organizations should prioritize upgrading SIMATIC PCS neo to V4.1 Update 3 or later, or V5.0 Update 1 or later, where the vulnerability is patched. 2. Implement network segmentation and strict access controls to limit exposure of SIMATIC PCS neo management interfaces to trusted networks and users only. 3. Deploy robust session management monitoring to detect anomalies such as session reuse or concurrent sessions from different IP addresses. 4. Use secure communication channels (e.g., VPNs, TLS) to protect session tokens from interception. 5. Enforce multi-factor authentication (MFA) where supported to reduce the risk of session token theft leading to unauthorized access. 6. Conduct regular security audits and penetration testing focused on session management and token handling. 7. Educate users and administrators about the risks of session token exposure and the importance of secure logout procedures. 8. Monitor Siemens advisories for any additional patches or mitigation guidance and apply them promptly.