As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
- CVSS v4 8.5
- ATTENTION: Low attack complexity
- Vendor: Siemens
- Equipment: Software Center and Solid Edge
- Vulnerability: Uncontrolled Search Path Element
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code via placing a crafted DLL file on the system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Siemens Software Center and Solid Edge are affected:
- Siemens Software Center: All versions prior to 3.5
- Solid Edge SE2025: All versions prior to V225.0 Update 10
3.2 VULNERABILITY OVERVIEW
3.2.1 UNCONTROLLED SEARCH PATH ELEMENT CWE-427
The affected application is vulnerable to DLL hijacking. This could allow an attacker to execute arbitrary code via placing a crafted DLL file on the system.
CVE-2025-40827 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-40827. A base score of 8.5 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories