CVE-2025-40774 identifies a security weakness in Siemens SiPass integrated, a widely used access control management system. The vulnerability arises from the product's method of storing user passwords encrypted in its database but with decryption keys accessible to users holding administrative privileges. This design flaw corresponds to CWE-257, which concerns storing passwords in a recoverable format rather than using one-way hashing. Because administrators can retrieve the decryption keys, they can decrypt stored passwords and obtain valid user credentials. The vulnerability affects all versions prior to V3.0. Exploitation requires the attacker to already have administrative privileges on the SiPass integrated server, but no additional user interaction is needed. The CVSS 3.1 base score is 4.4 (medium), reflecting local attack vector, low complexity, high privileges required, no user interaction, unchanged scope, and high confidentiality impact but no impact on integrity or availability. The main risk is that an insider or attacker who gains admin rights can escalate privileges or move laterally by using recovered passwords, potentially compromising other systems or sensitive data. No public exploits are known at this time, but the vulnerability highlights poor credential storage practices that Siemens plans to address in version 3.0 and later. Organizations relying on SiPass integrated for physical and logical access control should be aware of this risk and prepare to update or mitigate accordingly.

For European organizations, the vulnerability poses a significant insider threat and credential compromise risk. Since administrative users can decrypt passwords, any compromise or misuse of admin accounts can lead to unauthorized access to user accounts and sensitive access control data. This can result in data breaches, unauthorized physical access, and potential disruption of critical infrastructure protected by SiPass integrated. The confidentiality of user credentials is directly impacted, increasing the risk of lateral movement within networks and escalation of privileges. Although the vulnerability does not affect system integrity or availability directly, the indirect consequences of credential theft can be severe, including regulatory non-compliance under GDPR if personal data is exposed. Organizations in sectors such as manufacturing, energy, transportation, and government that use Siemens SiPass integrated for access control are particularly at risk. The medium CVSS score reflects the requirement for administrative privileges, limiting the threat to insiders or attackers who have already compromised admin accounts.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Restrict and tightly control administrative access to SiPass integrated servers using the principle of least privilege and multi-factor authentication to reduce the risk of credential compromise. 2) Monitor and audit all administrative activities and access to decryption keys or password databases to detect suspicious behavior promptly. 3) Segregate duties so that no single administrator has unrestricted access to both the password database and decryption keys. 4) Encrypt backups and logs containing sensitive credential information to prevent leakage. 5) Prepare for and prioritize upgrading to Siemens SiPass integrated version 3.0 or later once available, where this vulnerability is addressed. 6) Consider implementing additional compensating controls such as network segmentation and endpoint protection to limit lateral movement if credentials are compromised. 7) Conduct regular security awareness training for administrators emphasizing the risks of credential misuse. These targeted actions go beyond generic patching advice and focus on reducing the risk posed by the recoverable password storage design until a patch is deployed.