CVE-2025-40585 PUBLISHED

Assigner: siemens
Reserved: 16.04.2025 Published: 10.06.2025 Updated: 10.06.2025

A vulnerability has been identified in Energy Services (All versions with G5DFR). Affected solutions using G5DFR contain default credentials. This could allow an attacker to gain control of G5DFR component and tamper with outputs from the device.

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	Low

CVSS 3.1

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:H/SA:L
CVSS Score: 9.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	Present	Availability	High	Availability	Low
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Siemens
Product	Energy Services
Versions	Default: unknown affected from 0 to * (excl.)

References

https://cert-portal.siemens.com/productcert/html/ssa-345750.html

Problem Types

CWE-276: Incorrect Default Permissions CWE