Siemens SiPass Integrated
Plan Patch7.5ICS-CERT ICSA-25-148-02May 13, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SiPass integrated versions before V2.95.3.18 contain an out-of-bounds read vulnerability (CWE-125) that allows an unauthenticated remote attacker to trigger a denial of service condition by sending a crafted network request to the application.
What this means
What could happen
An attacker could remotely crash the SiPass integrated access control system, disrupting physical access management to your facility. While this does not directly affect production OT systems, it could prevent security personnel from monitoring or controlling building access during the outage.
Who's at risk
Security teams and facilities managers who depend on Siemens SiPass integrated for physical access control and badge management. This affects any organization running vulnerable versions of SiPass integrated in their facility access systems.
How it could be exploited
An attacker on the network sends a malformed network message that triggers an out-of-bounds memory read, causing the SiPass service to crash. The attack requires only network reachability to SiPass integrated; no authentication or user interaction is needed.
Prerequisites
- Network reachability to SiPass integrated application port
- No authentication required
Remotely exploitableNo authentication requiredLow complexity attackDenial of service impactAccess control system disruption
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
SiPass integrated< V2.95.3.182.95.3.18
Remediation & Mitigation
0/3
Do now
0/1WORKAROUNDRestrict network access to SiPass integrated using firewall rules—only allow connections from authorized workstations and engineering networks
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate SiPass integrated to version 2.95.3.18 or later
Long-term hardening
0/1HARDENINGIsolate the SiPass integrated system from direct internet exposure and place it behind a firewall or network segmentation boundary
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c67269ed-279e-43e7-bfd1-9b4a945a1bea