CVE-2025-27395
Published: 11 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-27395 is a path traversal vulnerability (CWE-22) affecting Siemens SCALANCE LPE9403 devices (order number 6GK5998-3GS00-2AC2) in all versions prior to V4.0. The flaw arises because these devices fail to properly restrict the scope of files accessible via the SFTP functionality and do not enforce appropriate privilege limitations. This issue has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on March 11, 2025.
An authenticated attacker with high privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables the attacker to read and write arbitrary files on the affected device, potentially leading to full compromise including high impacts on confidentiality, integrity, and availability.
The Siemens product CERT advisory (SSA-075201) at https://cert-portal.siemens.com/productcert/html/ssa-075201.html provides details on mitigation, which includes updating to version V4.0 or later where available. Security practitioners should consult the advisory for full patch instructions and any workarounds for systems unable to update immediately.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in SFTP directly enables arbitrary local file reads (T1005) and writes, facilitating tool ingress (T1105) and stored data manipulation (T1565.001) on the device.