CVE-2025-40566 — Insufficient Session Expiration in Siemens Simatic PCS NEO V4.1

CWE-613 — Insufficient Session Expiration3 documents3 sources

Severity

8.7HIGHNVD

EPSS

0.2%

top 57.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Simatic PCS NEO V4.1 Siemens Simatic PCS NEO V5.0 Siemens Simatic PCS NEO

Timeline

PublishedMay 13

Description

A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions < V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDsiemens/simatic_pcs_neo< 4.1+3

▶CVEListV5siemens/simatic_pcs_neo_v4.1< V4.1 Update 3

▶CVEListV5siemens/simatic_pcs_neo_v5.0< V5.0 Update 1

🔴Vulnerability Details

CVEList

CVE-2025-40566: A vulnerability has been identified in SIMATIC PCS neo V4↗2025-05-13

▶

GHSA

GHSA-wmm5-59wm-x34p: A vulnerability has been identified in SIMATIC PCS neo V4↗2025-05-13

▶