CVE-2025-40566

Vulnerability

SIMATIC PCS neo V4.1 (all versions prior to V4.1 Update 3) and SIMATIC PCS neo V5.0 (all versions prior to V5.0 Update 1) do not correctly invalidate user sessions upon user logout [1]. This allows a previously valid session token to remain usable even after the legitimate user has ended their session [1].

Exploitation

An attacker must first obtain a valid session token through other means (e.g., network eavesdropping, cross-site scripting, or physical access). No authentication is required for the reuse step. The attacker can then present the captured token to the affected system, and the system will accept it as a valid authenticated session, bypassing the logout state [1].

Impact

A remote, unauthenticated attacker who successfully reuses a session token gains unauthorized access to the SIMATIC PCS neo web interface with the privileges of the victim user. This can lead to information disclosure, manipulation of control system data, or disruption of industrial processes, depending on the victim's permissions. The CVSS v3.1 base score is 8.8 (High) [1].

Mitigation

Siemens has released fixes in SIMATIC PCS neo V4.1 Update 3 and V5.0 Update 1 [1]. Users should update to the latest versions. As a general practice, Siemens recommends protecting network access with appropriate mechanisms and following operational guidelines for industrial security [1].