CVE-2025-40753: CWE-312: Cleartext Storage of Sensitive Information in Siemens POWER METER SICAM Q100
A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q200 family (All versions >= V2.70 < V2.80). Affected devices export the password for the SMTP account as plain text in the Configuration File. This could allow an authenticated local attacker to extract it and use the configured SMTP service for arbitrary purposes.
AI Analysis
Technical Summary
CVE-2025-40753 is a medium-severity vulnerability affecting Siemens POWER METER SICAM Q100 and Q200 series devices, specifically versions from V2.60 up to but not including V2.62 for Q100 models and V2.70 up to but not including V2.80 for Q200 models. The vulnerability arises from the cleartext storage of sensitive information, namely the SMTP account password, within the device's configuration file. This flaw corresponds to CWE-312 (Cleartext Storage of Sensitive Information). An authenticated local attacker—meaning someone with access to the device's local interface or network with sufficient privileges—can extract the SMTP password from the configuration file. With this password, the attacker could misuse the SMTP service configured on the device for arbitrary purposes, such as sending unauthorized emails, potentially facilitating phishing, spam campaigns, or further social engineering attacks. The CVSS v3.1 base score is 6.2, indicating a medium severity level. The vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates that the attack requires local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), but no impact on integrity (I:N) or availability (A:N). This suggests that while the attacker does not need elevated privileges, they must have local network or device access to exploit the vulnerability. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that mitigation may rely on configuration changes or vendor updates once available.
Potential Impact
For European organizations, especially those in critical infrastructure sectors such as energy and utilities, this vulnerability poses a significant risk. Siemens POWER METER SICAM devices are commonly deployed in electrical grid monitoring and management. Unauthorized access to SMTP credentials could allow attackers to send fraudulent emails from trusted devices, potentially leading to phishing attacks targeting internal staff or partners, spreading malware, or disrupting communication channels. While the vulnerability does not directly compromise device integrity or availability, the confidentiality breach could facilitate lateral movement or social engineering attacks within the organization. Given the strategic importance of energy infrastructure in Europe and the increasing targeting of industrial control systems by threat actors, exploitation of this vulnerability could undermine operational security and trust. Additionally, compliance with GDPR and other data protection regulations may be impacted if sensitive information is leaked or used maliciously. The requirement for local access somewhat limits the attack surface but does not eliminate risk, especially in environments where network segmentation or access controls are insufficient.
Mitigation Recommendations
Organizations should immediately audit their Siemens POWER METER SICAM Q100 and Q200 devices to identify affected versions (Q100 versions >= V2.60 and < V2.62; Q200 versions >= V2.70 and < V2.80). Until Siemens releases official patches, the following specific mitigations are recommended: 1) Restrict local network access to these devices strictly to authorized personnel and systems using network segmentation and firewall rules. 2) Change SMTP account passwords regularly and avoid reusing credentials across devices or services. 3) Monitor SMTP traffic originating from these devices for unusual patterns or unauthorized email sending. 4) Encrypt configuration files if possible or store sensitive credentials in secure vaults rather than plaintext configuration files. 5) Implement multi-factor authentication and strong access controls on device management interfaces to prevent unauthorized local access. 6) Engage with Siemens support channels to obtain updates or patches as soon as they become available and plan for timely deployment. 7) Conduct employee awareness training to recognize phishing attempts that may leverage compromised SMTP credentials. These steps go beyond generic advice by focusing on access control, credential management, and monitoring specific to the affected Siemens devices and the nature of the vulnerability.
Affected Countries
Germany, France, Italy, Spain, United Kingdom, Netherlands, Belgium, Poland, Sweden, Finland
CVE-2025-40753: CWE-312: Cleartext Storage of Sensitive Information in Siemens POWER METER SICAM Q100
Description
A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q200 family (All versions >= V2.70 < V2.80). Affected devices export the password for the SMTP account as plain text in the Configuration File. This could allow an authenticated local attacker to extract it and use the configured SMTP service for arbitrary purposes.
AI-Powered Analysis
Technical Analysis
CVE-2025-40753 is a medium-severity vulnerability affecting Siemens POWER METER SICAM Q100 and Q200 series devices, specifically versions from V2.60 up to but not including V2.62 for Q100 models and V2.70 up to but not including V2.80 for Q200 models. The vulnerability arises from the cleartext storage of sensitive information, namely the SMTP account password, within the device's configuration file. This flaw corresponds to CWE-312 (Cleartext Storage of Sensitive Information). An authenticated local attacker—meaning someone with access to the device's local interface or network with sufficient privileges—can extract the SMTP password from the configuration file. With this password, the attacker could misuse the SMTP service configured on the device for arbitrary purposes, such as sending unauthorized emails, potentially facilitating phishing, spam campaigns, or further social engineering attacks. The CVSS v3.1 base score is 6.2, indicating a medium severity level. The vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates that the attack requires local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), but no impact on integrity (I:N) or availability (A:N). This suggests that while the attacker does not need elevated privileges, they must have local network or device access to exploit the vulnerability. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that mitigation may rely on configuration changes or vendor updates once available.
Potential Impact
For European organizations, especially those in critical infrastructure sectors such as energy and utilities, this vulnerability poses a significant risk. Siemens POWER METER SICAM devices are commonly deployed in electrical grid monitoring and management. Unauthorized access to SMTP credentials could allow attackers to send fraudulent emails from trusted devices, potentially leading to phishing attacks targeting internal staff or partners, spreading malware, or disrupting communication channels. While the vulnerability does not directly compromise device integrity or availability, the confidentiality breach could facilitate lateral movement or social engineering attacks within the organization. Given the strategic importance of energy infrastructure in Europe and the increasing targeting of industrial control systems by threat actors, exploitation of this vulnerability could undermine operational security and trust. Additionally, compliance with GDPR and other data protection regulations may be impacted if sensitive information is leaked or used maliciously. The requirement for local access somewhat limits the attack surface but does not eliminate risk, especially in environments where network segmentation or access controls are insufficient.
Mitigation Recommendations
Organizations should immediately audit their Siemens POWER METER SICAM Q100 and Q200 devices to identify affected versions (Q100 versions >= V2.60 and < V2.62; Q200 versions >= V2.70 and < V2.80). Until Siemens releases official patches, the following specific mitigations are recommended: 1) Restrict local network access to these devices strictly to authorized personnel and systems using network segmentation and firewall rules. 2) Change SMTP account passwords regularly and avoid reusing credentials across devices or services. 3) Monitor SMTP traffic originating from these devices for unusual patterns or unauthorized email sending. 4) Encrypt configuration files if possible or store sensitive credentials in secure vaults rather than plaintext configuration files. 5) Implement multi-factor authentication and strong access controls on device management interfaces to prevent unauthorized local access. 6) Engage with Siemens support channels to obtain updates or patches as soon as they become available and plan for timely deployment. 7) Conduct employee awareness training to recognize phishing attempts that may leverage compromised SMTP credentials. These steps go beyond generic advice by focusing on access control, credential management, and monitoring specific to the affected Siemens devices and the nature of the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- siemens
- Date Reserved
- 2025-04-16T08:39:30.031Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 689b2662ad5a09ad003132e2
Added to database: 8/12/2025, 11:32:50 AM
Last enriched: 8/20/2025, 1:59:45 AM
Last updated: 10/7/2025, 1:50:02 PM
Views: 27
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Hackers Stole Data From Public Safety Comms Firm BK Technologies
MediumCVE-2025-11396: SQL Injection in code-projects Simple Food Ordering System
MediumCVE-2025-40889: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Nozomi Networks Guardian
HighCVE-2025-40888: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Nozomi Networks Guardian
MediumCVE-2025-40887: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Nozomi Networks Guardian
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.