How ZeroPath Works
Back to Blog

SIMATIC STEP 7 and WinCC CVE-2025-40759: Brief Summary of a Deserialization Vulnerability

A brief summary of CVE-2025-40759, a deserialization vulnerability in Siemens SIMATIC STEP 7, WinCC, and related industrial automation products. This post details affected versions, technical root cause, and vendor security history, with references to official advisories and the NVD entry.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-12

SIMATIC STEP 7 and WinCC CVE-2025-40759: Brief Summary of a Deserialization Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Industrial automation environments that rely on Siemens SIMATIC STEP 7, WinCC, and related engineering platforms face elevated risk from a recently disclosed vulnerability that could enable arbitrary code execution through malicious project files. The potential for attackers to compromise engineering workstations or automation controllers makes this issue highly relevant for organizations in manufacturing and critical infrastructure sectors.

About Siemens and Its Industrial Automation Portfolio: Siemens is a global leader in industrial automation and digitalization, with a broad product portfolio spanning programmable logic controllers, HMI systems, engineering tools, and cloud-based industrial platforms. Siemens products are widely deployed in critical infrastructure, manufacturing, energy, and transportation sectors, making the security of their software platforms a matter of international significance.

Technical Information

CVE-2025-40759 is categorized as CWE-502 (Deserialization of Untrusted Data). The vulnerability arises because affected Siemens products do not properly sanitize stored security properties during the parsing of project files. When a crafted project file containing malicious serialized objects is loaded by a vulnerable application, the deserialization process can result in type confusion. This allows an attacker to instantiate objects of unexpected types, which may lead to arbitrary code execution within the application's process context.

The attack vector is the import or opening of a malicious project file. This could occur through removable media, network shares, or other file transfer mechanisms commonly used in industrial environments. The vulnerability affects both on-premises and cloud-based deployments, and is particularly concerning in environments where project files are regularly exchanged between systems or imported from external sources. No public exploit code or vulnerable code snippets are available at this time.

Affected Systems and Versions

The following Siemens products and versions are affected by CVE-2025-40759:

  • SIMATIC S7-PLCSIM V17 (all versions)
  • SIMATIC STEP 7 V17 (all versions)
  • SIMATIC STEP 7 V18 (all versions)
  • SIMATIC STEP 7 V19 (all versions prior to V19 Update 4)
  • SIMATIC STEP 7 V20 (all versions)
  • SIMATIC WinCC V17 (all versions)
  • SIMATIC WinCC V18 (all versions)
  • SIMATIC WinCC V19 (all versions prior to V19 Update 4)
  • SIMATIC WinCC V20 (all versions)
  • SIMOCODE ES V17 (all versions)
  • SIMOCODE ES V18 (all versions)
  • SIMOCODE ES V19 (all versions)
  • SIMOCODE ES V20 (all versions)
  • SIMOTION SCOUT TIA V5.4 (all versions)
  • SIMOTION SCOUT TIA V5.5 (all versions)
  • SIMOTION SCOUT TIA V5.6 (all versions prior to V5.6 SP1 HF7)
  • SIMOTION SCOUT TIA V5.7 (all versions)
  • SINAMICS Startdrive V17 (all versions)
  • SINAMICS Startdrive V18 (all versions)
  • SINAMICS Startdrive V19 (all versions)
  • SINAMICS Startdrive V20 (all versions)
  • SIRIUS Safety ES V17 (TIA Portal) (all versions)
  • SIRIUS Safety ES V18 (TIA Portal) (all versions)
  • SIRIUS Safety ES V19 (TIA Portal) (all versions)
  • SIRIUS Safety ES V20 (TIA Portal) (all versions)
  • SIRIUS Soft Starter ES V17 (TIA Portal) (all versions)
  • SIRIUS Soft Starter ES V18 (TIA Portal) (all versions)
  • SIRIUS Soft Starter ES V19 (TIA Portal) (all versions)
  • SIRIUS Soft Starter ES V20 (TIA Portal) (all versions)
  • TIA Portal Cloud V17 (all versions)
  • TIA Portal Cloud V18 (all versions)
  • TIA Portal Cloud V19 (all versions prior to V5.2.1.1)
  • TIA Portal Cloud V20 (all versions)

Vendor Security History

Siemens has previously addressed similar deserialization vulnerabilities in its engineering software. For example, CVE-2022-45147 affected SIMATIC STEP 7 and related products, allowing type confusion and arbitrary code execution via crafted project files. Siemens typically issues detailed advisories and mitigation guidance but has shifted some responsibility for ongoing monitoring and patching to end users, especially for legacy systems. The recurrence of deserialization and type confusion vulnerabilities indicates ongoing challenges in secure development and validation processes for their industrial software portfolio.

References

Detect & fix
what others miss

Get startedBook a demo