CVE-2025-40574 is a high-severity vulnerability affecting Siemens SCALANCE LPE9403 industrial network devices, specifically all versions prior to V4.0 HF0. The vulnerability is classified under CWE-732, which pertains to incorrect permission assignment for critical resources. In this case, the affected devices improperly assign permissions to critical system resources, notably the backupmanager service. This misconfiguration allows a non-privileged local attacker—someone with limited access on the device—to interact with the backupmanager service, which should normally be restricted. The CVSS v3.1 base score of 7.8 reflects the significant risk posed by this vulnerability, with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The attack vector is local (AV:L), requiring low attack complexity (AC:L) and low privileges (PR:L), but no user interaction (UI:N). The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component. Although no known exploits are reported in the wild yet, the vulnerability could allow an attacker to manipulate backup processes, potentially leading to unauthorized data access, data corruption, or denial of service. Given the critical role of SCALANCE LPE9403 devices in industrial and critical infrastructure networks, exploitation could disrupt operational technology environments, impacting industrial control systems and network reliability.

For European organizations, especially those in industrial sectors such as manufacturing, energy, transportation, and utilities, this vulnerability poses a substantial risk. SCALANCE LPE9403 devices are commonly deployed in industrial network environments to provide secure and reliable communication. Exploitation could lead to unauthorized access to backup configurations and data, manipulation or deletion of backups, and disruption of network operations. This can result in operational downtime, loss of critical data, and potential cascading effects on industrial processes. Confidentiality breaches could expose sensitive operational data, while integrity violations could compromise system configurations and backups, undermining recovery efforts. Availability impacts could cause network outages or degraded performance, affecting production lines or critical infrastructure services. The local attack vector implies that attackers would need some form of local access, which could be achieved through compromised internal systems or insider threats. Given the increasing convergence of IT and OT networks in Europe, the risk of lateral movement to these devices is non-trivial. The high severity rating underscores the need for immediate attention to mitigate potential disruptions and data breaches.

To mitigate this vulnerability, European organizations should prioritize upgrading SCALANCE LPE9403 devices to version V4.0 HF0 or later, where the permission assignment issue is resolved. In the absence of an available patch, organizations should implement strict network segmentation to isolate SCALANCE devices from general IT networks and limit local access. Enforce strong access controls and monitoring on devices to detect unauthorized local interactions with critical services like backupmanager. Employ network intrusion detection systems (NIDS) tailored for industrial protocols to identify anomalous behavior. Regularly audit device configurations and permissions to ensure compliance with security best practices. Additionally, implement strict physical security controls to prevent unauthorized local access to these devices. Organizations should also develop and test incident response plans specific to industrial network devices to quickly respond to potential exploitation attempts. Vendor engagement is recommended to obtain any interim mitigations or guidance. Finally, raising awareness among operational technology personnel about the risks and signs of exploitation can help in early detection and prevention.