CVE-2025-40742 is a medium-severity vulnerability affecting multiple versions of Siemens SIPROTEC 5 devices, specifically models including but not limited to 6MD84 (CP300), 6MD85, 7SA82, 7SD82, 7SJ81, 7SK82, 7SL82, 7ST85, 7SX82, 7UT82, 7VE85, and Compact 7SX800 (CP050). These devices are widely used in electrical power protection and automation systems. The vulnerability arises from the use of the HTTP GET request method to transmit sensitive session identifiers within URL query strings. This practice is classified under CWE-598, which highlights the risk of sensitive data exposure through URL parameters. Because URLs can be logged in browser history, server logs, proxy logs, and other monitoring tools, session identifiers embedded in URLs can be inadvertently exposed to unauthorized parties. An attacker who gains access to these logs or browser histories could extract session tokens and potentially hijack active sessions, leading to unauthorized access to the device's management interfaces or control functions. The CVSS v3.1 base score of 5.3 reflects a medium severity, with network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), and user interaction required (UI:R). The impact is primarily on confidentiality (C:H), with no direct impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects all versions of the listed devices, indicating a systemic design issue in how session management is handled in the affected Siemens SIPROTEC 5 products. Given the critical role of these devices in power grid protection and automation, unauthorized access could have serious operational consequences if exploited.

For European organizations, especially those operating critical infrastructure such as electrical utilities and grid operators, this vulnerability poses a significant confidentiality risk. Unauthorized access to SIPROTEC 5 devices could allow attackers to monitor or manipulate protection settings, potentially leading to misoperation or failure to respond correctly to grid faults. Although the vulnerability does not directly affect integrity or availability, session hijacking could be a stepping stone for more advanced attacks or lateral movement within industrial control networks. The exposure of session identifiers in URLs increases the risk of credential leakage through routine network monitoring, browser history, or log file access. European power utilities are often subject to strict regulatory requirements for cybersecurity under frameworks like NIS2 and the EU Cybersecurity Act, making mitigation of such vulnerabilities critical to maintaining compliance and operational security. The medium severity score suggests that while exploitation requires user interaction and has high complexity, the potential impact on confidentiality and the critical nature of the affected systems warrant prompt attention.

1. Siemens and affected organizations should prioritize the development and deployment of patches or firmware updates that eliminate the use of GET requests for transmitting session identifiers, switching instead to more secure methods such as HTTP POST or using secure cookies with appropriate flags (HttpOnly, Secure). 2. Network segmentation should be enforced to isolate SIPROTEC devices from general IT networks and limit access to trusted administrators only. 3. Implement strict access controls and multi-factor authentication (MFA) for device management interfaces to reduce the risk of unauthorized access even if session tokens are compromised. 4. Regularly audit and sanitize logs and browser histories to minimize the retention of sensitive URL data. 5. Employ network monitoring and anomaly detection to identify unusual access patterns or session hijacking attempts. 6. Educate operators and administrators on the risks of session token exposure and safe browsing practices when accessing device management portals. 7. Where possible, use VPNs or encrypted tunnels for remote access to SIPROTEC devices to protect session data in transit. 8. Review and update incident response plans to include scenarios involving session hijacking or unauthorized access to industrial control systems.