CVE-2025-40772 is a stored Cross-Site Scripting (XSS) vulnerability identified in Siemens SiPass integrated, a widely used access control management system. The vulnerability affects all versions prior to 3.0 and stems from improper neutralization of user-supplied input during web page generation (CWE-79). An attacker with low privileges and requiring user interaction can inject malicious JavaScript code into the application’s web interface. When other users access the compromised page, the injected script executes in their browsers, enabling the attacker to impersonate users, steal session cookies, and potentially escalate privileges within the system. The CVSS 3.1 base score is 7.4, reflecting high impact on confidentiality, integrity, and availability, with attack vector being adjacent network (AV:A), low attack complexity (AC:L), requiring privileges (PR:L), and user interaction (UI:R). Although no exploits are known in the wild yet, the vulnerability poses a significant risk due to the sensitive nature of access control systems and the potential for lateral movement within enterprise environments. The lack of available patches at the time of reporting necessitates immediate risk mitigation through compensating controls.

For European organizations, this vulnerability could lead to unauthorized access to physical security systems managed by SiPass integrated, potentially allowing attackers to bypass access controls or manipulate security settings. The ability to impersonate users and hijack sessions threatens the confidentiality and integrity of user accounts and system configurations. This could result in unauthorized entry to secure facilities, disruption of operations, or data breaches involving sensitive personnel information. Given Siemens’ strong market presence in Europe, especially in critical infrastructure sectors such as manufacturing, transportation, and energy, the impact could be substantial. Organizations with large user bases or those integrating SiPass with other enterprise systems face increased risk of cascading effects. The requirement for user interaction and some privileges limits the attack surface but does not eliminate the threat, especially in environments with many users and potential insider threats.

1. Monitor Siemens’ official channels for the release of patches addressing CVE-2025-40772 and apply them promptly once available. 2. Implement strict input validation and output encoding on all user-supplied data within the SiPass integrated environment to prevent script injection. 3. Restrict user privileges to the minimum necessary to reduce the risk of exploitation by low-privilege users. 4. Employ web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting stored XSS vectors. 5. Conduct regular security awareness training to reduce the likelihood of users interacting with malicious content. 6. Audit logs and monitor for unusual session activity or access patterns that may indicate exploitation attempts. 7. Consider network segmentation to isolate the SiPass integrated system from less trusted networks, limiting attack vectors. 8. Review and harden browser security settings and consider Content Security Policy (CSP) deployment to mitigate impact of injected scripts.