CVE-2025-40759 is a deserialization vulnerability classified under CWE-502 found in a broad range of Siemens industrial automation software products, notably SIMATIC S7-PLCSIM V17 and multiple versions of SIMATIC STEP 7, WinCC, SIMOCODE ES, SIMOTION SCOUT TIA, SINAMICS Startdrive, SIRIUS Safety ES, SIRIUS Soft Starter ES, and TIA Portal Cloud. The root cause is improper sanitization of stored security properties during the parsing of project files, which leads to type confusion. This type confusion can be exploited by an attacker to execute arbitrary code within the context of the affected application. The vulnerability has a CVSS v3.1 base score of 7.8, indicating high severity, with an attack vector classified as local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Exploitation typically involves tricking a user into opening or importing a maliciously crafted project file, which could be delivered via social engineering or insider threat vectors. The affected products are widely used in industrial control systems (ICS) and manufacturing execution systems (MES), which are critical for operational technology (OT) environments. No public exploits or active exploitation have been reported yet, but the potential for severe operational disruption and data compromise is significant given the nature of the affected software. Siemens has not yet published patches for all affected versions, emphasizing the need for interim mitigations.

The vulnerability poses a substantial risk to European organizations relying on Siemens industrial automation software, particularly in sectors such as manufacturing, energy, utilities, transportation, and critical infrastructure. Successful exploitation could lead to arbitrary code execution, enabling attackers to manipulate control logic, disrupt industrial processes, exfiltrate sensitive operational data, or cause denial of service conditions. This could result in production downtime, safety incidents, financial losses, and damage to reputation. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk, especially in environments where engineering workstations are shared or exposed to untrusted files. Given Siemens' strong market presence in Europe, the vulnerability could affect a large number of industrial sites, increasing the potential for widespread operational impact and cascading effects on supply chains and critical services.

Organizations should immediately implement strict controls on the handling and transfer of project files, ensuring only trusted and verified files are opened within affected Siemens software. Engineering workstations should be isolated from untrusted networks and have limited user privileges to reduce the risk of exploitation. Siemens updates and patches should be applied promptly once available, and vendors should be monitored for security advisories. Network segmentation between IT and OT environments should be enforced to limit lateral movement. Employ application whitelisting and endpoint detection and response (EDR) solutions on engineering systems to detect anomalous behavior indicative of exploitation. Regular backups of project files and system configurations should be maintained to enable recovery. Additionally, user training on the risks of opening untrusted files can reduce the likelihood of successful social engineering attacks. Finally, consider deploying virtualized or sandboxed environments for testing and importing project files to contain potential malicious activity.