CVE-2025-40594 is a vulnerability identified in Siemens SINAMICS G220 V6.4, as well as SINAMICS S200 V6.4 and SINAMICS S210 V6.4 devices. These products are industrial drive controllers widely used in manufacturing and automation environments. The vulnerability stems from improper privilege management (CWE-269), where the devices allow execution of a factory reset operation without requiring the appropriate privileges. Additionally, configuration data can be manipulated due to leaked privileges from previous sessions. This means that an attacker who gains limited or no privileges could escalate their access rights by exploiting this flaw, potentially resetting devices or altering critical configuration settings. The CVSS v3.1 base score is 6.3 (medium severity), with the vector indicating local attack vector (AV:L), high attack complexity (AC:H), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), no confidentiality impact (C:N), high integrity impact (I:H), and low availability impact (A:L). The vulnerability affects all versions prior to V6.4 HF2 for G220 and S210, and all versions of S200 V6.4. No known exploits are currently reported in the wild, and Siemens has not yet published patch links. The vulnerability could allow unauthorized users to escalate privileges, reset devices to factory defaults, and manipulate configurations, potentially disrupting industrial processes or causing unsafe operating conditions.

For European organizations, particularly those in manufacturing, energy, and critical infrastructure sectors that rely on Siemens SINAMICS drives, this vulnerability poses a significant risk. Unauthorized factory resets or configuration changes could lead to operational downtime, loss of production, or even physical damage to machinery. Integrity of control systems could be compromised, leading to unsafe states or process deviations. Since these devices are often integrated into larger industrial control systems (ICS) and supervisory control and data acquisition (SCADA) environments, exploitation could cascade, affecting broader operational technology (OT) networks. The medium CVSS score reflects the requirement for local access and user interaction, but the scope change and high integrity impact indicate that successful exploitation could have serious consequences. European industries with high automation levels, such as automotive manufacturing in Germany, chemical plants in the Netherlands, and energy utilities across Scandinavia, could be particularly vulnerable. The lack of confidentiality impact reduces risk of data leakage but does not diminish the threat to operational integrity and availability.

Organizations should immediately verify the versions of SINAMICS G220, S200, and S210 drives deployed in their environments and prioritize upgrading to V6.4 HF2 or later where the vulnerability is addressed. Until patches are available, strict access controls must be enforced to limit local access to authorized personnel only. Network segmentation should isolate industrial devices from general IT networks to reduce attack surface. Implement multi-factor authentication and session management controls to prevent privilege leakage between sessions. Regularly audit device configurations and logs for unauthorized resets or configuration changes. Employ physical security measures to prevent unauthorized local access. Additionally, Siemens customers should engage with Siemens support for any interim mitigations or firmware updates. Incident response plans should be updated to include detection and response procedures for potential exploitation attempts targeting these devices.