CVE-2025-40584 is a medium-severity vulnerability classified under CWE-611 (Improper Restriction of XML External Entity Reference) found in Siemens SIMOTION SCOUT TIA versions 5.4 through 5.7 and SINAMICS STARTER versions 5.5 through 5.7 (with certain subversions excluded). The vulnerability stems from the software's XML parser improperly handling external entity references in specially crafted XML files. An attacker who can supply such malicious XML input can exploit this flaw to perform XML External Entity (XXE) injection attacks, enabling them to read arbitrary files on the host system. The attack vector is local (AV:L), requiring the attacker to have access to the system and to convince a user to interact with the malicious XML content (UI:R). No privileges are required (PR:N), and the vulnerability impacts confidentiality (C:H) but does not affect integrity or availability. The scope is unchanged (S:U), meaning the exploit affects only the vulnerable component. Siemens has not yet published patches for all affected versions, and no known exploits have been reported in the wild. This vulnerability poses a risk to industrial control systems and automation environments where these Siemens products are deployed, potentially exposing sensitive configuration or operational files to unauthorized disclosure.

For European organizations, particularly those in manufacturing, industrial automation, and critical infrastructure sectors that rely on Siemens SIMOTION SCOUT TIA and SINAMICS STARTER products, this vulnerability could lead to unauthorized disclosure of sensitive files. This may include configuration files, credentials, or operational data, which could facilitate further attacks or industrial espionage. The confidentiality breach could undermine operational security and intellectual property protection. Since exploitation requires local access and user interaction, the risk is somewhat mitigated but remains significant in environments where insider threats or compromised user accounts exist. The impact on availability and integrity is minimal, but the exposure of sensitive information could have cascading effects on operational trust and compliance with data protection regulations such as GDPR.

Organizations should prioritize applying Siemens patches and updates as soon as they become available for the affected SIMOTION SCOUT TIA and SINAMICS STARTER versions. Until patches are deployed, restrict access to systems running these applications to trusted personnel only, and enforce strict file system permissions to limit the impact of potential XXE exploitation. Validate and sanitize all XML inputs rigorously, employing XML parsers configured to disable external entity processing where possible. Implement network segmentation to isolate industrial control systems from general IT networks and external internet access. Conduct user training to raise awareness about the risks of opening untrusted XML files and enforce policies to prevent execution of unverified files. Regularly audit logs and monitor for unusual file access patterns that may indicate exploitation attempts.