CVE-2025-40751 is a medium-severity vulnerability affecting Siemens SIMATIC RTLS Locating Manager versions prior to 3.3. The flaw is categorized under CWE-522, which refers to insufficient protection of credentials. Specifically, the SIMATIC RTLS Locating Manager Report Clients do not adequately safeguard the credentials used to authenticate to the server. An attacker with authenticated local access to the Report Client can extract these credentials. With the stolen credentials, the attacker can escalate their privileges from the Manager role to the Systemadministrator role, gaining significantly higher access rights. The vulnerability requires local authentication (AV:L), low attack complexity (AC:L), and low privileges (PR:L), but no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially compromised component. The impact includes low confidentiality, integrity, and availability impacts individually (C:L/I:L/A:L), but combined with privilege escalation, it can lead to broader system compromise. No known exploits are currently in the wild, and no patches have been linked yet. Siemens has reserved the CVE and published the details as of August 2025. This vulnerability is critical in environments where SIMATIC RTLS Locating Manager is deployed, as it undermines the trust boundary between user roles and can lead to unauthorized administrative control over the system.

For European organizations using Siemens SIMATIC RTLS Locating Manager, this vulnerability poses a significant risk to operational technology (OT) environments, particularly in industrial automation and manufacturing sectors where Siemens products are widely deployed. The ability for a local authenticated attacker to escalate privileges to Systemadministrator could lead to unauthorized control over RTLS (Real-Time Locating System) infrastructure, potentially disrupting asset tracking, production workflows, and safety monitoring. Confidentiality of sensitive operational data could be compromised, and integrity of location data manipulated, leading to erroneous operational decisions. Availability could also be impacted if administrative privileges are used to disrupt or disable the system. Given Siemens' strong market presence in Europe, especially in Germany, France, Italy, and the UK, the threat could affect critical infrastructure and manufacturing plants, increasing the risk of industrial espionage, sabotage, or safety incidents. The requirement for local authentication limits remote exploitation but insider threats or compromised internal accounts could leverage this vulnerability effectively.

To mitigate this vulnerability, European organizations should: 1) Immediately identify and inventory all SIMATIC RTLS Locating Manager deployments and verify their version, prioritizing upgrades to version 3.3 or later once available. 2) Implement strict access controls and monitoring on systems hosting the Report Clients to prevent unauthorized local access. 3) Enforce the principle of least privilege for all user accounts, especially limiting access to the Report Client to only trusted personnel. 4) Employ endpoint security solutions to detect and prevent credential extraction techniques on local machines. 5) Use network segmentation to isolate RTLS infrastructure from broader corporate networks, reducing the risk of lateral movement. 6) Monitor logs for unusual privilege escalation attempts or access patterns related to the RTLS Manager. 7) Engage with Siemens support for any interim patches or workarounds and apply them promptly. 8) Conduct regular security awareness training emphasizing the risks of credential theft and insider threats. These steps go beyond generic advice by focusing on operational technology security hygiene and insider threat mitigation specific to the affected product environment.