CVE-2025-40572 is a medium-severity vulnerability affecting Siemens SCALANCE LPE9403 industrial networking devices, specifically all versions prior to V4.0 HF0. The vulnerability is classified under CWE-732, which pertains to incorrect permission assignment for critical resources. In this case, the affected devices do not properly restrict access permissions to sensitive resources stored locally on the device. This misconfiguration allows a non-privileged local attacker—someone with limited access to the device's environment—to gain unauthorized access to sensitive information. The vulnerability does not require user interaction and can be exploited with low attack complexity, but it does require local access and some privileges (PR:L). The CVSS 3.1 base score is 5.5, reflecting a medium severity level, with a high impact on confidentiality but no impact on integrity or availability. No known exploits are currently reported in the wild, and Siemens has not yet published a patch. The vulnerability affects critical industrial communication infrastructure, potentially exposing sensitive configuration or operational data that could be leveraged for further attacks or espionage.

For European organizations, particularly those in industrial sectors such as manufacturing, energy, transportation, and utilities that rely on Siemens SCALANCE LPE9403 devices for secure industrial Ethernet communication, this vulnerability poses a significant risk to confidentiality. Unauthorized access to sensitive device information could lead to exposure of network configurations, credentials, or operational parameters, which adversaries could use to escalate privileges or disrupt industrial processes indirectly. While the vulnerability does not directly affect system integrity or availability, the confidentiality breach could undermine trust in operational technology (OT) environments and lead to compliance issues with data protection regulations like GDPR if sensitive personal or operational data is exposed. The requirement for local access limits remote exploitation but insider threats or attackers who gain initial footholds on OT networks could exploit this vulnerability to deepen their access.

Organizations should prioritize upgrading Siemens SCALANCE LPE9403 devices to version V4.0 HF0 or later once the patch is released by Siemens. Until then, strict network segmentation should be enforced to limit local access to these devices only to trusted personnel and systems. Implementing robust physical security controls to prevent unauthorized local access is critical. Monitoring and logging access to these devices should be enhanced to detect any anomalous or unauthorized attempts. Additionally, organizations should conduct regular audits of device permissions and configurations to ensure no inadvertent permission escalations exist. Employing endpoint detection and response (EDR) solutions in OT environments can help identify suspicious local activities. Finally, raising awareness among OT staff about the risks of local access exploitation can reduce insider threat risks.