cbcvebase.
CVE-2025-40594
published 2025-09-09

CVE-2025-40594: A vulnerability has been identified in SINAMICS G220 V6.4 (All versions < V6.4 HF2), SINAMICS S200 V6.4 (All versions < V6.4 HF7), SINAMICS S210 V6.4 (All…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.20%
10.1th percentile
A vulnerability has been identified in SINAMICS G220 V6.4 (All versions < V6.4 HF2), SINAMICS S200 V6.4 (All versions < V6.4 HF7), SINAMICS S210 V6.4 (All versions < V6.4 HF2). The affected devices allow a factory reset to be executed without the required privileges due to improper privilege management as well as manipulation of configuration data because of leaked privileges of previous sessions. This could allow an unauthorized attacker to escalate their privileges.

Affected

6 ranges
VendorProductVersion rangeFixed in
siemenssinamics_g220_firmware
siemenssinamics_g220_v6.4< V6.4 HF2V6.4 HF2
siemenssinamics_s200_firmware
siemenssinamics_s200_v6.4< V6.4 HF7V6.4 HF7
siemenssinamics_s210_firmware
siemenssinamics_s210_v6.4< V6.4 HF2V6.4 HF2

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability allows factory reset execution without required privileges due to improper privilege management and leaked privileges from previous sessions — monitor for unauthorized factory reset commands issued to SINAMICS devices on local network segments.
  • Attack vector is local network (AV:L) with no required privileges (PR:N) and user interaction (UI:R/UI:A), high attack complexity, and requires specific conditions (AT:P) — focus detection on anomalous session privilege escalation events on SINAMICS G220, S200, and S210 V6.4 devices.
  • Exploitation is not remotely possible and requires local network access — restrict and monitor local network access to SINAMICS drives, particularly any configuration data modification or factory reset operations.
  • ·SINAMICS S200 V6.4 currently has no fix available; all versions remain vulnerable.
  • ·Privilege leakage stems from previous sessions — session management and privilege isolation between sessions is a key architectural weakness to account for in detection logic.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.