CVE-2025-40584 is an XML External Entity (XXE) injection vulnerability identified in multiple versions of Siemens SIMOTION SCOUT TIA software (versions 5.4 through 5.7, including certain sub-versions and related SINAMICS STARTER versions). The vulnerability arises from improper restriction of XML external entity references during the parsing of specially crafted XML files. An attacker who can supply malicious XML input to the affected application can exploit this flaw to read arbitrary files on the system where the software is running. This vulnerability is classified under CWE-611, which pertains to improper handling of XML external entities, leading to potential information disclosure. The CVSS v3.1 base score is 5.5 (medium severity), with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). The vulnerability does not require authentication but does require user interaction, such as opening or processing a malicious XML file. No known exploits are currently reported in the wild, and no patches have been linked yet. Siemens SIMOTION SCOUT TIA is an engineering software suite used for configuring and programming motion control systems in industrial automation, making this vulnerability particularly relevant for industrial control system (ICS) environments. Exploitation could lead to unauthorized disclosure of sensitive configuration files or credentials, potentially aiding further attacks on industrial processes.

For European organizations, especially those in manufacturing, energy, and critical infrastructure sectors relying on Siemens SIMOTION SCOUT TIA and SINAMICS STARTER software, this vulnerability poses a significant risk of information disclosure. Attackers could leverage the XXE flaw to access sensitive configuration files, intellectual property, or credentials stored on engineering workstations or servers. This could facilitate espionage, sabotage, or preparation for more destructive attacks on industrial control systems. Given the widespread use of Siemens automation products across Europe, the vulnerability could impact production continuity, safety, and regulatory compliance. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach could have cascading effects, including loss of competitive advantage, regulatory penalties under GDPR for data breaches, and increased risk of targeted attacks on critical infrastructure. The requirement for local access and user interaction somewhat limits remote exploitation but insider threats or phishing campaigns targeting engineers could still trigger the attack vector.

European organizations should implement the following specific mitigations: 1) Restrict access to engineering workstations and servers running SIMOTION SCOUT TIA and SINAMICS STARTER software to trusted personnel only, enforcing strict access controls and network segmentation to limit exposure. 2) Educate users, especially engineers and operators, about the risks of opening untrusted XML files or project files, incorporating this into security awareness training. 3) Monitor and control the sources of XML files imported into the software, validating and sanitizing inputs where possible. 4) Apply Siemens-provided patches or updates promptly once available; in the absence of patches, consider temporary workarounds such as disabling XML external entity processing if configurable. 5) Employ endpoint detection and response (EDR) tools to detect anomalous file access patterns or suspicious process behavior related to the software. 6) Conduct regular audits of engineering systems for unauthorized files or configurations that could indicate exploitation attempts. 7) Collaborate with Siemens support and ICS cybersecurity experts to develop incident response plans tailored to this vulnerability.