Siemens SiPass Integrated

Plan PatchCVSS 7.5ICS-CERT ICSA-25-148-02May 13, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SiPass integrated versions before V2.95.3.18 contain an out-of-bounds read vulnerability (CWE-125) that allows an unauthenticated remote attacker to cause a denial of service condition. The vulnerability does not provide confidentiality or integrity impact, only availability. Siemens has released version 2.95.3.18 as a fix.

What this means

What could happen

An unauthenticated attacker could send a crafted network request to crash the SiPass integrated access control system, disrupting physical security operations and potentially preventing legitimate users from entering or exiting facilities.

Who's at risk

Physical security and access control operators managing Siemens SiPass integrated badge/door control systems in facilities such as manufacturing plants, data centers, campuses, and municipal buildings. The vulnerability affects access control operations facility-wide if the system crashes.

How it could be exploited

An attacker with network connectivity to the SiPass integrated system sends a specially crafted request that triggers an out-of-bounds memory read. This causes the service to crash, resulting in denial of service. No authentication or user interaction is required.

Prerequisites

Network access to SiPass integrated device on the network
No credentials or special configuration required

remotely exploitableno authentication requiredlow complexitydenial of service impact on physical security operations

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (1)

ProductAffected VersionsFix Status

SiPass integrated< V2.95.3.182.95.3.18

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the SiPass integrated system using a firewall to allow only trusted administrative hosts and facilities requiring badge reader communication

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SiPass integrated to version 2.95.3.18 or later

Long-term hardening

0/1

HARDENINGIsolate the SiPass integrated system from the business network and the internet using network segmentation

CVEs (1)

CVE-2022-31812

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c67269ed-279e-43e7-bfd1-9b4a945a1bea

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.