Siemens Patches Critical Authentication Bypass in Industrial Edge Device Kit
Take action: If you are using Siemens Industrial Edge Device Kit, this is urgent and important. Make sure all Industrial Edge Device Kit systems are isolated from the internet and accessible from trusted networks only. Then plan a very quick update, this is a perfect 10 score vulnerability. Even with all the isolation, there may be a way in, so better patch.
Learn More
Siemens and CISA report a critical security flaw in its Industrial Edge Device Kit, a software suite used to manage edge computing in factory environments.
The flaw is tracked as CVE-2025-40805 (CVSS score 10.0) and is caused by how the system handles API requests. The software fails to check permissions on certain endpoints. If an attacker knows a valid username, they can trick the system into giving them full access without a password.
This vulnerability affects the following versions of the Siemens Industrial Edge Device Kit:
- Industrial Edge Device Kit - arm64 (V1.5 through V1.25)
- Industrial Edge Device Kit - x86-64 (V1.5 through V1.25)
Users on V1.24 should move to V1.24.2 or later. Those on V1.25 should install V1.25.1 or later. For older versions where a patch is not yet available and Siemens advises users to lock down their networks and limit access to trusted parties only.
CISA recommends keeping all industrial controllers off the open internet to prevent remote attacks. Administrators should use firewalls to separate industrial infrastructure from office computers. If remote access is required, use a VPN to create a secure tunnel.
