What is the Siemens SIVaaS CVE-2025-40804 vulnerability?

CVE-2025-40804 is a critical security vulnerability with a CVSS score of 9.3 affecting Siemens SIMATIC Virtualization as a Service (SIVaaS). The vulnerability enables access to network shares without authentication, caused by incorrect permission assignments that allow remote attackers to access or modify critical data stored on exposed network shares.

How severe is the SIVaaS CVE-2025-40804 vulnerability?

CVE-2025-40804 is rated as critical with a CVSS score of 9.3, indicating maximum severity. The vulnerability allows unauthorized access to network shares containing sensitive industrial automation data without requiring any authentication.

What sensitive information could be exposed through CVE-2025-40804?

The exposed network shares potentially contain VM images, configuration files, credentials, operational scripts, and industrial recipes. This represents a complete compromise of critical industrial automation data and intellectual property.

What causes the SIVaaS authentication bypass vulnerability?

The vulnerability is caused by incorrect permission assignments within the SIVaaS system, which allows remote attackers to access network shares without proper authentication mechanisms in place.

Which versions of SIVaaS are affected by CVE-2025-40804?

The vulnerability affects all versions of SIMATIC Virtualization as a Service (SIVaaS), indicating a fundamental design or configuration issue that spans the entire product line.

Should SIVaaS systems be connected to the internet?

No, given the critical nature of this vulnerability and the lack of available patches, SIVaaS systems should be operated within protected IT environments with strict network access controls and should never be directly exposed to the internet.

What immediate actions should SIVaaS users take?

Users should immediately contact Siemens Technical Support for remediation assistance, implement strict network access controls around SIVaaS systems, monitor for unauthorized access to network shares, and ensure systems are operated within protected IT environments.

Why is this SIVaaS vulnerability particularly dangerous for industrial environments?

This vulnerability is particularly dangerous because SIVaaS hosts critical automation workloads including controllers and HMIs. Compromise could lead to theft of industrial recipes, operational disruption, safety system interference, and exposure of sensitive automation configurations that could enable targeted attacks on industrial processes.

What type of fix is expected for the SIVaaS vulnerability?

The fix may require configuration changes or manual interventions instead of automated software updates, suggesting the vulnerability is related to system configuration or deployment practices rather than code that can be patched through standard update mechanisms.

How can organizations protect SIVaaS systems while waiting for a fix?

Organizations should implement network segmentation to isolate SIVaaS systems, restrict access to authorized personnel only, monitor network traffic for unauthorized access attempts, implement additional authentication layers where possible, and follow Siemens' operational guidelines for industrial security.

Advisory

Critical vulnerability reported in Siemens SIMATIC Virtualization Service

Q: What is Siemens SIMATIC Virtualization as a Service (SIVaaS)?

SIVaaS (SIMATIC Virtualization as a Service) is a Siemens platform for hosting controller virtual machines, human-machine interfaces (HMIs), and other critical automation workloads in industrial environments. It provides virtualized infrastructure for running essential industrial automation systems.

Q: Is there a software patch available for the SIVaaS vulnerability?

No, Siemens has not released a software patch for this vulnerability. Instead, the company recommends that affected customers contact Technical Support directly for remediation assistance, which may require configuration changes or manual interventions.

Q: How can organizations get help with the SIVaaS security vulnerability?

Affected customers should contact Siemens Technical Support directly for remediation assistance. The fix may require configuration changes or manual interventions rather than automated updates, making direct support contact essential.

Q: What can attackers do if they exploit the SIVaaS vulnerability?

Remote attackers can access or modify critical data stored on exposed network shares, including VM images, configuration files, credentials, operational scripts, and industrial recipes. This could lead to industrial espionage, operational disruption, or complete compromise of automation systems.

Q: What security recommendations has Siemens provided for SIVaaS?

Siemens emphasizes the need to protect network access to devices with appropriate mechanisms and operate devices within protected IT environments according to Siemens' operational guidelines for industrial security. This includes network segmentation and access controls.

published: Sept. 11, 2025

Take action: If you have Siemens SIMATIC Virtualization as a Service (SIVaaS) systems, make sure they are isolated from any untrusted networks because they're exposing critical data on network shares. Then contact Siemens Technical Support since there's no software patch - they need to provide manual configuration fixes.

Learn More

Siemens is reporting a critical security vulnerability affecting its SIMATIC Virtualization as a Service (SIVaaS) that enables access to network shares without authentication.

SIVaaS is hosting controller virtual machines, human-machine interfaces (HMIs), and other critical automation workloads. The exposed network shares potentially contain VM images, configuration files, credentials, operational scripts, and industrial recipes.

The vulnerability is tracked as CVE-2025-40804 (CVSS score 9.3) is caused by incorrect permission assignments and allows remote attackers to access or modify critical data stored on exposed network shares.

The vulnerability affects all versions of SIMATIC Virtualization as a Service (SIVaaS).

Siemens has not released a software patch for this vulnerability. Instead, the company recommends that affected customers contact Technical Support directly for remediation assistance. The fix may require configuration changes or manual interventions instead of automated updates. The company has also reiterated its general industrial security recommendations, emphasizing the need to protect network access to devices with appropriate mechanisms and operate devices within protected IT environments according to Siemens' operational guidelines for industrial security.

Critical vulnerability reported in Siemens SIMATIC Virtualization Service

Read More
Critical authentication bypass flaw in Burk Technology ARC …
CISA and Ilevia Report Multiple Critical Vulnerabilities in …
Siemens Issues Fix for Maximum Severit flaw in …
Rockwell Automation reports multiple flaws in DataMosaix Private …
Critical File System Vulnerability Patched in iba Systems …