Siemens has disclosed a privilege‑escalation vulnerability in its widely‑deployed SINAMICS drive family that allows an attacker with local network access to trigger factory resets and alter configuration data without proper authorization — and for one affected series, the SINAMICS S200, no patch exists yet. The flaw, tracked as CVE-2025-40594, was detailed in Siemens security advisory SSA-027652 and republished by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as ICSA-25-254-03 on September 11, 2025, to raise awareness among industrial operators.
With SINAMICS drives embedded in critical manufacturing, process control, and infrastructure worldwide, the vulnerability strikes at the heart of operational technology (OT) environments where safety, production continuity, and equipment integrity are paramount. While Siemens has delivered firmware updates for the G220 and S210 lines, the S200 remains unpatched, forcing asset owners to rely on compensating controls until a fix materializes.
The Vulnerability at a Glance
CVE-2025-40594 is classified as CWE-269: Improper Privilege Management. Siemens assigned it a CVSS v3.1 base score of 6.3 and a CVSS v4 score of 6.9, indicating a medium‑severity local flaw with high attack complexity.
Affected products:
- SINAMICS G220 V6.4: all versions prior to V6.4 HF2
- SINAMICS S210 V6.4: all versions prior to V6.4 HF2
- SINAMICS S200 V6.4: all versions (no fix available)
Key facts:
- Exploitation requires local network access; it is not remotely exploitable over the internet.
- Attack complexity is high, meaning specific preconditions must be met.
- No public exploitation has been reported to date.
- The vulnerability enables unauthorized factory reset and manipulation of configuration data due to two interacting defects: missing privilege checks on sensitive operations and leakage of privileged session state.
Technical Analysis: How CVE-2025-40594 Works
At its core, the flaw stems from a failure to properly enforce privilege boundaries within the drive's firmware. Two separate yet related conditions create the exposure:
-
Unauthorized factory reset and configuration write: Certain execution paths that trigger a factory reset or modify configuration parameters do not verify that the requesting user holds administrative rights. An attacker with local network access can invoke these operations without any credentials, effectively reverting a drive to defaults or altering its behaviour.
-
Privilege leakage across sessions: The system does not adequately clear elevated privileges after a session ends. Residual administrative tokens or state remain in memory, allowing a subsequent unprivileged session to inherit capabilities it should not have. This class of error is particularly insidious in embedded systems where session management is often less rigorous than in enterprise IT.
CWE-269 precisely captures this category of flaw: the product assigns or manages privileges incorrectly, violating the principle of least privilege. Because drives are traditionally trusted devices within an OT network, the compromise of even a single unit can cascade.
Why Drives Matter: Operational and Safety Implications
SINAMICS drives control motors, pumps, conveyors, and other moving parts in factories, power plants, and critical infrastructure. They sit on the OT control plane, directly influencing physical processes. Unauthorized factory resets can:
- Halt production lines instantly, causing revenue losses measured in millions per hour.
- Induce unsafe mechanical behaviour, risking worker injury or equipment destruction.
- Erase parameter sets that took engineers weeks to tune, delaying restart.
- Serve as a foothold for lateral movement: a reset drive could be reconfigured to weaken safety interlocks, or its privileged credentials (if stored) could be extracted to compromise engineering workstations or other controllers.
CISA explicitly warns that “successful exploitation could allow users to escalate their privileges,” and because the attack vector is local, an attacker must already be inside the OT network or reach it through a compromised remote maintenance tunnel. Nevertheless, the impact in a targeted scenario is high.
Patch Status and the S200 Problem
Siemens has released firmware version V6.4 HF2 for the G220 and S210 series, which eliminates the vulnerability. Operators should test and deploy these updates during scheduled maintenance windows.
For the SINAMICS S200, however, Siemens currently lists no fix available. This is an explicit remediation gap that shifts the burden entirely onto defensive architectures. Asset owners must assume that every S200 on their network is exploitable until further notice and treat it accordingly.
CISA’s Role and Policy Shift
CISA’s republication of the advisory is noteworthy for an important operational detail: since January 10, 2023, the agency no longer provides ongoing updates for Siemens product advisories beyond the initial notification. The canonical source for real‑time remediation status, subsequent patches, and workarounds is now Siemens ProductCERT. This policy change requires organizations to formalize vendor‑feed monitoring and integrate ProductCERT advisories into their patch management workflows. Relying on CISA alone will miss late‑breaking fixes.
Mitigation Strategies from Siemens and CISA
Both entities emphasize a layered approach:
- Apply vendor updates where available: Upgrade G220 and S210 to V6.4 HF2 or later immediately after validation.
- Isolate unpatchable devices: For S200, restrict network access using firewalls, ACLs, and dedicated management subnets. Ensure these drives are not reachable from the internet or business networks.
- Harden remote access: VPNs and remote maintenance tunnels should be treated as untrusted — they must be fully patched, monitored, and protected with multi‑factor authentication. Prefer out‑of‑band connectivity through hardened jump hosts.
- Follow Siemens’ operational guidelines: Configure all drives according to Siemens’ industrial security recommendations and product‑specific hardening guides.
- Monitor and alert: Implement logging for drive management events, especially factory reset attempts and configuration changes. Integrate these alerts into the SOC or OT monitoring platform.
CISA further recommends conducting proper impact analysis and risk assessments before deploying any defensive measures, a reminder that cybersecurity changes in OT environments can have unintended consequences.
A Practical Remediation Plan
Operators should adopt a structured, auditable workflow. Here is a step‑by‑step priority list:
- Inventory all affected units: Enumerate every G220, S210, and S200 instance, recording firmware versions and network adjacency. Tag assets by criticality (safety‑related, high‑value production, etc.).
- Prioritize by risk: Put S200 drives at the top of the list for compensating controls because they cannot be patched. Next, prioritize G220 and S210 drives that control safety functions or critical processes.
- Test and deploy patches: For G220 and S210, stage the V6.4 HF2 update in a lab or non‑production environment. Verify that all motion profiles, safety interlocks, and control sequences operate correctly. Then schedule production updates, ensuring rollback plans are in place.
- Apply compensating controls to S200:
- Move S200 management interfaces to dedicated VLANs with strict access lists.
- Disable unused protocols and services on the drives themselves.
- Require multi‑factor authentication and session recording for any maintenance access, using jump hosts that are themselves hardened.
- Establish network‑based alerting for any factory reset or unauthorized config change events. - Harden operator workstations and remote paths: These are the most likely entry points for a local attack. Enforce least privilege, session timeouts, and regular reviews of user accounts.
- Engage Siemens ProductCERT: Open support tickets for S200 units to obtain timelines and any potential workarounds. Subscribe to Siemens’ advisory feed for updates on SSA‑027652.
- Document everything: Maintain a log of all mitigations, testing results, and change control approvals. This is essential for audits and incident response.
Detection and Monitoring
Because exploitation requires local network access, OT‑specific monitoring is the most effective near‑term detection method. Watch for:
- Unscheduled or unexpected factory reset events in drive logs.
- Configuration drift — parameter sets changing outside of approved maintenance windows.
- Repeated failed or successful privilege‑escalation attempts from operator workstations.
- Sudden reboots or resets coincident with remote maintenance sessions.
- Network scanning targeting drive management ports (e.g., Modbus, Profinet, HTTP/HTTPS management interfaces) from unusual internal hosts.
Instrument jump hosts and engineering workstations with endpoint detection agents (where feasible) to catch lateral movement before it reaches the drives. CISA’s defense‑in‑depth guidance remains the gold standard for designing such detection layers.
Broader Context: A Pattern of Siemens ICS Advisories
CVE-2025-40594 is part of a steady stream of vulnerabilities disclosed across Siemens’ industrial product lines in 2024–2025, spanning SINUMERIK CNC systems, RUGGEDCOM networking gear, and various engineering platforms. Many share common themes — authentication bypass, improper privilege management, and DLL hijacking — that underscore the security debt often found in deeply embedded systems.
For asset owners, this creates three operational pressures:
- Vendor feed monitoring is no longer optional. With CISA stepping back, organizations must track Siemens ProductCERT directly or risk missing patches.
- Heterogeneous patch availability demands risk acceptance. Some devices will remain unpatched for months, requiring durable compensating controls that must be reviewed and tested regularly.
- The safety‑cybersecurity tension is real. Every firmware update requires regression testing against functional safety requirements, eating into already scarce maintenance windows.
Risk Assessment
- Likelihood: Moderate for targeted attackers who already have a foothold on the OT network; low for opportunistic attacks given the local requirement and high complexity.
- Impact: High for drives controlling critical processes or safety interlocks. Administrative‑level control over a drive can lead to physical damage, production loss, and safety hazards.
- Mitigation urgency: G220 and S210 can be quickly hardened with a firmware update. S200 must be treated as high‑risk assets and segmented immediately; compensating controls, however effective, are not a substitute for a patch.
Final Recommendations
- Patch what you can. Move G220 and S210 to V6.4 HF2 after thorough testing. Do not let the perfect be the enemy of the good — a tested update in a maintenance window is better than a perpetually vulnerable drive.
- Segment unpatchable S200 drives. Use VLANs, firewalls, and strict access controls to limit who and what can communicate with them. Assume compromise and build containment layers.
- Monitor for factory resets and configuration changes. Even with segmentation, active detection is your last line of defense. Set up real‑time alerts and have an incident response plan that includes drive forensics.
- Subscribe to Siemens ProductCERT. Bookmark the SSA-027652 advisory page and set up automated alerts. The next HF release or workaround for S200 could appear at any time, and you will not learn about it from CISA.
- Treat remote access paths as entry vectors. Harden VPNs, enforce MFA, and log all remote maintenance activity. These are the most likely routes for an adjacent‑network attacker to reach your drives.
Siemens’ disclosure and CISA’s republication offer clear technical detail and actionable guidance. Yet the ultimate responsibility for securing these systems lies with the asset owners. For now, the message is unequivocal: patch G220 and S210, and ring‑fence every S200 until a fix lands. CVE‑2025‑40594 is a substantive flaw that demands immediate, coordinated action — and a reminder that in OT security, patching is necessary but never sufficient.