Siemens SIMATIC PCS

Plan PatchCVSS 8.8ICS-CERT ICSA-25-135-12May 13, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

SIMATIC PCS neo V4.1 (before Update 3) and V5.0 (before Update 1) do not correctly invalidate user sessions upon logout. An attacker who obtains a valid session token through other means could reuse it to access the system after the legitimate user has logged out, potentially issuing unauthorized commands or configuration changes to controlled processes.

What this means

What could happen

An attacker who obtains a legitimate user's session token could continue to use that token to access PCS neo after the user logs out, potentially allowing unauthorized configuration changes or operational disruption to your industrial processes.

Who's at risk

Engineering teams and operators at water utilities, electric utilities, and other industrial facilities using Siemens SIMATIC PCS neo for process control and HMI functions. Anyone with access to the PCS neo interface, including remote engineering support staff, could be affected if their session tokens are compromised.

How it could be exploited

An attacker must first obtain a valid session token from an authorized user (through phishing, network interception, or other means). Once obtained, even after the legitimate user logs out, the attacker can reuse that token to send commands to PCS neo as if they were the logged-in user.

Prerequisites

Valid session token obtained by other means (e.g., phishing, network sniffing, compromised workstation)
Network access to the PCS neo web interface or API
Knowledge that a particular session token is valid

Remotely exploitableNo authentication required once session token is obtainedLow complexity attackAffects critical operational systems

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SIMATIC PCS neo V4.1<V4.1 Update 34.1 Update 3

SIMATIC PCS neo V5.0<V5.0 Update 15.0 Update 1

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to PCS neo management interfaces using firewalls or network segmentation; allow only trusted engineering workstations and administrative systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SIMATIC PCS neo V4.1

HOTFIXUpdate SIMATIC PCS neo V4.1 to Update 3 or later

SIMATIC PCS neo V5.0

HOTFIXUpdate SIMATIC PCS neo V5.0 to Update 1 or later

Long-term hardening

0/1

HARDENINGEducate users to avoid clicking links and opening attachments in unsolicited emails to reduce risk of session token theft via phishing

CVEs (1)

CVE-2025-40566

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e279641c-092e-42b3-8da0-220431d41330

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.