CVE-2025-40752 is a medium-severity vulnerability affecting Siemens POWER METER SICAM Q100 and Q200 family devices, specifically versions from V2.60 up to but not including V2.62 for Q100 models and versions from V2.70 up to but not including V2.80 for Q200 models. The vulnerability arises from the cleartext storage of SMTP account passwords within the device firmware or configuration. This flaw corresponds to CWE-312, which is the cleartext storage of sensitive information. An authenticated local attacker—someone who has gained access to the device's local interface—can extract the stored SMTP password in plaintext. With this password, the attacker can misuse the SMTP service configured on the device for arbitrary purposes such as sending unauthorized emails, potentially enabling phishing campaigns, spam distribution, or further social engineering attacks. The CVSS v3.1 base score is 6.2, reflecting a medium severity level. The vector indicates that the attack requires local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts confidentiality (C:H) but not integrity or availability. No known exploits are reported in the wild yet, and no patches are currently linked, indicating that mitigation may require vendor intervention or manual configuration changes. Siemens POWER METER SICAM devices are used in industrial and utility environments for power metering and monitoring, making the confidentiality of credentials critical to prevent misuse or lateral movement within operational technology (OT) networks.

For European organizations, especially those in the energy, utilities, and industrial sectors, this vulnerability poses a significant risk to operational security. Siemens SICAM devices are widely deployed across Europe for power metering and grid management. If an attacker with local access extracts SMTP credentials, they could leverage the mail service to send malicious emails internally or externally, potentially leading to phishing attacks or spreading malware. This could undermine trust in operational communications and facilitate further attacks on critical infrastructure. Although the vulnerability does not directly affect system integrity or availability, the compromise of SMTP credentials can be a stepping stone for broader attacks, including social engineering or lateral movement within OT and IT networks. Given the strategic importance of energy infrastructure in Europe, exploitation could have cascading effects on service reliability and regulatory compliance, especially under frameworks like NIS2. The requirement for local access somewhat limits the attack surface but does not eliminate risk, as insider threats or attackers who have breached perimeter defenses could exploit this vulnerability.

European organizations should take the following specific actions: 1) Immediately audit Siemens SICAM Q100 and Q200 devices to identify affected firmware versions (V2.60 to <V2.62 for Q100, V2.70 to <V2.80 for Q200). 2) Restrict local access to these devices strictly, employing network segmentation and strong access controls to prevent unauthorized physical or network-level access. 3) Where possible, change SMTP account passwords and verify if the device allows storing credentials in encrypted form or supports alternative authentication mechanisms. 4) Monitor SMTP traffic originating from these devices for unusual patterns or unauthorized email sending. 5) Engage with Siemens support to obtain firmware updates or patches that address this vulnerability once available. 6) Implement strict logging and alerting on device access and configuration changes to detect potential exploitation attempts. 7) Train operational staff on the risks of local credential exposure and enforce policies to minimize insider threat risks. 8) Consider deploying compensating controls such as network-level SMTP filtering or outbound mail restrictions to limit the impact of compromised credentials.