CVE-2025-40759 is a deserialization vulnerability categorized under CWE-502 that impacts a broad range of Siemens industrial automation software products including SIMATIC S7-PLCSIM V17, SIMATIC STEP 7 (versions 17 through 20 with some update exceptions), SIMATIC WinCC (versions 17 through 20 with some update exceptions), SIMOCODE ES (versions 17 through 20), SIMOTION SCOUT TIA (versions 5.4 through 5.7), SINAMICS Startdrive (versions 17 through 20), SIRIUS Safety ES and Soft Starter ES (versions 17 through 20), and TIA Portal Cloud (versions 17 through 20 with some update exceptions). The vulnerability stems from improper sanitization of stored security properties during the parsing of project files, which can lead to type confusion. This type confusion can be exploited by an attacker to execute arbitrary code within the context of the affected application. The vulnerability requires local access and user interaction but does not require any privileges, making it easier to exploit in environments where users have access to project files. The CVSS 3.1 base score is 7.8, indicating a high severity with impacts on confidentiality, integrity, and availability. The flaw could allow attackers to manipulate industrial control system configurations, potentially disrupting operations or causing unsafe conditions. No public exploits have been reported yet, but the wide range of affected products and versions increases the attack surface. Siemens has not yet published patches at the time of this report, so mitigation currently relies on access controls and monitoring.

The impact on European organizations is significant given the widespread use of Siemens industrial automation software in manufacturing, energy, utilities, and critical infrastructure sectors. Successful exploitation could lead to arbitrary code execution, allowing attackers to alter control logic, disrupt manufacturing processes, or cause unsafe operational states. This threatens operational continuity, safety, and data confidentiality. The vulnerability affects both legacy and recent versions, increasing exposure. Industrial environments in Europe often rely heavily on Siemens products, so the risk of operational disruption and potential safety incidents is high. Additionally, the ability to execute arbitrary code could facilitate further lateral movement or persistence within industrial networks. The requirement for local access and user interaction somewhat limits remote exploitation but insider threats or compromised user accounts could still leverage this vulnerability. The lack of known exploits currently provides a window for proactive mitigation, but the high severity score underscores the urgency for European organizations to address this vulnerability.

1. Apply Siemens vendor patches immediately once they become available for all affected products and versions. 2. Restrict access to project files and configuration data to only trusted and authorized personnel using strict file permissions and network segmentation. 3. Implement robust endpoint protection and application whitelisting on systems running affected Siemens software to detect and block unauthorized code execution. 4. Monitor logs and network traffic for unusual activity related to project file parsing or unexpected process behavior within Siemens applications. 5. Educate users about the risks of opening untrusted project files and enforce policies to prevent execution of files from unverified sources. 6. Use network segmentation to isolate industrial control systems from general IT networks to limit the potential for lateral movement. 7. Regularly back up project files and configurations to enable recovery in case of compromise. 8. Conduct vulnerability assessments and penetration testing focused on industrial control systems to identify and remediate exposure. 9. Collaborate with Siemens support and security advisories to stay informed about updates and emerging threats related to this vulnerability.