Introduction
Remote attackers can retrieve or modify configuration data from critical industrial communication processors without any authentication. This flaw affects Siemens SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, and SIPLUS ET 200SP variants, which are widely deployed in manufacturing and critical infrastructure environments for industrial automation and process control.
About the involved products: Siemens is a global leader in industrial automation, with its SIMATIC and SIPLUS product families forming the backbone of control and communication in factories, utilities, and infrastructure worldwide. These products are integral to the operation of thousands of industrial sites, making any security issue in their communication processors highly impactful.
Technical Information
CVE-2025-40771 is caused by missing authentication for configuration connections in the following Siemens communication processors:
- SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0)
- SIMATIC CP 1542SP-1 IRC (6GK7542-6VX00-0XE0)
- SIMATIC CP 1543SP-1 (6GK7543-6WX00-0XE0)
- SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL (6AG2542-6VX00-4XE0)
- SIPLUS ET 200SP CP 1543SP-1 ISEC (6AG1543-6WX00-7XE0)
- SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL (6AG2543-6WX00-4XE0)
All firmware versions prior to V2.4.24 are affected.
The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). Specifically, the affected devices do not enforce any authentication when a remote user attempts to establish a configuration session. This means that any unauthenticated user with network access to the device's configuration interface can access or modify configuration data. The flaw is limited to the configuration interface and does not affect operational communication channels.
No public code snippets are available for this vulnerability. The root cause is the absence of authentication logic in the configuration connection handling code path for affected firmware versions.
Affected Systems and Versions
The following Siemens products and versions are vulnerable:
- SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0) — All versions prior to V2.4.24
- SIMATIC CP 1542SP-1 IRC (6GK7542-6VX00-0XE0) — All versions prior to V2.4.24
- SIMATIC CP 1543SP-1 (6GK7543-6WX00-0XE0) — All versions prior to V2.4.24
- SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL (6AG2542-6VX00-4XE0) — All versions prior to V2.4.24
- SIPLUS ET 200SP CP 1543SP-1 ISEC (6AG1543-6WX00-7XE0) — All versions prior to V2.4.24
- SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL (6AG2543-6WX00-4XE0) — All versions prior to V2.4.24
Any configuration where these processors are deployed with firmware below V2.4.24 is vulnerable.
Vendor Security History
Siemens has previously addressed authentication and access control issues in its SIMATIC and SIPLUS product lines. Past advisories (see references) have documented similar flaws, including missing or weak authentication for critical functions. Siemens typically provides timely patches for supported products and maintains a dedicated ProductCERT team for vulnerability management. The recurrence of authentication-related issues highlights ongoing challenges in secure-by-design implementation for industrial communication devices.