CVE-2025-40742 is a medium-severity vulnerability affecting multiple versions of Siemens SIPROTEC 5 devices, including models 6MD84, 6MD85, 6MD86, 6MD89, 6MU85, 7KE85, 7SA82, 7SA86, 7SA87, 7SD82, 7SD86, 7SD87, 7SJ81, 7SJ82, 7SJ85, 7SJ86, 7SK82, 7SK85, 7SL82, 7SL86, 7SL87, 7SS85, 7ST85, 7ST86, 7SX82, 7SX85, 7SY82, 7UM85, 7UT82, 7UT85, 7UT86, 7UT87, 7VE85, 7VK87, 7VU85, and Compact 7SX800. The vulnerability arises from the use of HTTP GET request methods that include sensitive session identifiers within the URL query strings. This practice violates secure session management principles (CWE-598), as URLs containing session tokens can be inadvertently stored in browser history, server logs, or network monitoring tools, exposing sensitive session data to unauthorized parties. An attacker with access to these stored URLs could potentially hijack sessions or gain unauthorized access to device functionalities. The CVSS v3.1 score of 5.3 reflects a medium severity, with network attack vector, high attack complexity, no privileges required, and requiring user interaction. The vulnerability impacts confidentiality but not integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. Given the critical role of SIPROTEC devices in electrical grid protection and automation, exposure of session identifiers could lead to unauthorized control or information disclosure within critical infrastructure environments.

For European organizations, especially those operating critical infrastructure such as electrical utilities and grid operators, this vulnerability poses a significant risk to the confidentiality of session data used to manage protective relays and automation devices. Unauthorized access could allow attackers to monitor or manipulate grid protection settings, potentially leading to operational disruptions or safety hazards. The exposure of session identifiers in URLs increases the risk of session hijacking, particularly in environments where network traffic or logs are accessible to insiders or external attackers. Given the widespread deployment of Siemens SIPROTEC devices across European power grids, exploitation could have cascading effects on energy distribution reliability and safety. Furthermore, compliance with EU regulations such as NIS2 Directive and GDPR mandates robust protection of critical infrastructure and sensitive data, making this vulnerability a compliance concern as well.

Siemens and affected organizations should prioritize the following mitigations: 1) Siemens should release firmware or software updates that eliminate the use of session identifiers in GET request URLs, instead adopting secure session management practices such as storing session tokens in HTTP cookies with secure and HttpOnly flags. 2) Organizations should audit network traffic and logs to identify exposure of session tokens and implement log management policies to avoid storing sensitive URL data. 3) Network segmentation and strict access controls should be enforced to limit exposure of SIPROTEC device management interfaces to trusted personnel and systems only. 4) Employ network monitoring and anomaly detection to identify unusual access patterns that may indicate session hijacking attempts. 5) Educate operators and administrators to avoid clicking on suspicious links or sharing URLs containing session information. 6) Where possible, implement multi-factor authentication and VPN access to management interfaces to reduce risk from stolen session tokens. 7) Regularly review and update incident response plans to address potential exploitation scenarios involving session hijacking.