SSA-599451

Siemens Security Advisory by Siemens ProductCERT

SSA-599451: Multiple Vulnerabilities in SiPass integrated Before V3.0

Publication Date:	2025-10-14
Last Update:	2025-10-14
Current Version:	V1.0
CVSS v3.1 Base Score:	8.8
CVSS v4.0 Base Score:	8.6

SUMMARY

SiPass integrated before V3.0 contains multiple vulnerabilities that could allow an unauthenticated remote attacker to exploit user accounts, manipulate data, impersonate users, or achieve arbitrary code execution on the SiPass integrated server.

Siemens has released a new version for SiPass integrated and recommends to update to the latest version.

KNOWN AFFECTED PRODUCTS

Un-/Collapse All

Affected Product and Versions	Remediation
SiPass integrated All versions < V3.0 affected by all CVEs CVE-2023-35002 CVE-2025-40772 CVE-2025-40773 CVE-2025-40774	Update to V3.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109995331/ See further recommendations from section Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

CVE-2023-35002, CVE-2025-40772, CVE-2025-40773, CVE-2025-40774: Restrict access to authorized and trusted personal only
CVE-2023-35002: Avoid uploading untrusted image files in affected applications

Product-specific remediations or mitigations can be found in the section Known Affected Products.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure Siemens strongly recommends to protect network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a protected IT environment.

PRODUCT DESCRIPTION

SiPass integrated is a powerful and extremely flexible access control system.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2023-35002

A heap-based buffer overflow vulnerability exists in the pictwread functionality of Accusoft ImageGear 20.1. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

CVSS v3.1 Base Score	8.8
CVSS v3.1 Vector	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v4.0 Base Score	8.6
CVSS v4.0 Vector	CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE	CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Vulnerability CVE-2025-40772

Affected server applications are vulnerable to stored Cross-Site Scripting (XSS), allowing an attacker to inject malicious code that can be executed by other users when they visit the affected page.

Successful exploitation allows an attacker to impersonate other users within the application and steal their session data. This could enable unauthorized access to accounts and potentially lead to privilege escalation.

CVSS v3.1 Base Score	7.4
CVSS v3.1 Vector	CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS v4.0 Base Score	7.0
CVSS v4.0 Vector	CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vulnerability CVE-2025-40773

Affected server applications contains a broken access control vulnerability. The authorization mechanism lacks sufficient server-side checks, allowing an attacker to execute a specific API request.

Successful exploitation allows an attacker to potentially manipulate data belonging to other users.

CVSS v3.1 Base Score	3.5
CVSS v3.1 Vector	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS v4.0 Base Score	5.1
CVSS v4.0 Vector	CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CWE	CWE-639: Authorization Bypass Through User-Controlled Key

Vulnerability CVE-2025-40774

Affected server applications store user passwords encrypted in its database. Decryption keys are accessible to users with administrative privileges, allowing them to recover passwords.

Successful exploitation of this vulnerability allows an attacker to obtain and use valid user passwords. This can lead to unauthorized access to user accounts, data breaches, and potential system compromise.

CVSS v3.1 Base Score	4.4
CVSS v3.1 Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS v4.0 Base Score	6.7
CVSS v4.0 Vector	CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE	CWE-257: Storing Passwords in a Recoverable Format

ACKNOWLEDGMENTS

Siemens thanks the following party for its efforts:

Thomas Wache and Yann Breut from Airbus Defence and Space - Cyber Program for reporting CVE-2025-40774

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2025-10-14):

Publication Date

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.