CVE-2025-40753 is a medium-severity vulnerability affecting Siemens POWER METER SICAM Q100 and Q200 series devices, specifically versions from V2.60 up to but not including V2.62 for Q100 models and V2.70 up to but not including V2.80 for Q200 models. The vulnerability arises from the cleartext storage of sensitive information, namely the SMTP account password, within the device's configuration file. This flaw corresponds to CWE-312 (Cleartext Storage of Sensitive Information). An authenticated local attacker—meaning someone with access to the device's local interface or network with sufficient privileges—can extract the SMTP password from the configuration file. With this password, the attacker could misuse the SMTP service configured on the device for arbitrary purposes, such as sending unauthorized emails, potentially facilitating phishing, spam campaigns, or further social engineering attacks. The CVSS v3.1 base score is 6.2, indicating a medium severity level. The vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates that the attack requires local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), but no impact on integrity (I:N) or availability (A:N). This suggests that while the attacker does not need elevated privileges, they must have local network or device access to exploit the vulnerability. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that mitigation may rely on configuration changes or vendor updates once available.

For European organizations, especially those in critical infrastructure sectors such as energy and utilities, this vulnerability poses a significant risk. Siemens POWER METER SICAM devices are commonly deployed in electrical grid monitoring and management. Unauthorized access to SMTP credentials could allow attackers to send fraudulent emails from trusted devices, potentially leading to phishing attacks targeting internal staff or partners, spreading malware, or disrupting communication channels. While the vulnerability does not directly compromise device integrity or availability, the confidentiality breach could facilitate lateral movement or social engineering attacks within the organization. Given the strategic importance of energy infrastructure in Europe and the increasing targeting of industrial control systems by threat actors, exploitation of this vulnerability could undermine operational security and trust. Additionally, compliance with GDPR and other data protection regulations may be impacted if sensitive information is leaked or used maliciously. The requirement for local access somewhat limits the attack surface but does not eliminate risk, especially in environments where network segmentation or access controls are insufficient.

Organizations should immediately audit their Siemens POWER METER SICAM Q100 and Q200 devices to identify affected versions (Q100 versions >= V2.60 and < V2.62; Q200 versions >= V2.70 and < V2.80). Until Siemens releases official patches, the following specific mitigations are recommended: 1) Restrict local network access to these devices strictly to authorized personnel and systems using network segmentation and firewall rules. 2) Change SMTP account passwords regularly and avoid reusing credentials across devices or services. 3) Monitor SMTP traffic originating from these devices for unusual patterns or unauthorized email sending. 4) Encrypt configuration files if possible or store sensitive credentials in secure vaults rather than plaintext configuration files. 5) Implement multi-factor authentication and strong access controls on device management interfaces to prevent unauthorized local access. 6) Engage with Siemens support channels to obtain updates or patches as soon as they become available and plan for timely deployment. 7) Conduct employee awareness training to recognize phishing attempts that may leverage compromised SMTP credentials. These steps go beyond generic advice by focusing on access control, credential management, and monitoring specific to the affected Siemens devices and the nature of the vulnerability.