Siemens SINUMERIK

Plan PatchCVSS 8.3ICS-CERT ICSA-25-226-19Aug 12, 2025

Siemens

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens SINUMERIK Controllers contain an improper VNC password check vulnerability that allows an attacker to bypass authentication and gain unauthorized remote access to the machine control interface. Affected products include SINUMERIK 828D (PPU.4 and PPU.5), 840D sl, MC (versions 1.15 and 1.25), and ONE (versions 6.15 and 6.25). An attacker with network access to the VNC port can connect without providing valid credentials and obtain full remote control of the CNC machine operations.

What this means

What could happen

An attacker with network access to the VNC interface could bypass password authentication and gain remote control of the CNC machine, potentially altering tool paths, spindle speeds, or stopping production without valid credentials.

Who's at risk

Manufacturers and machine shops operating Siemens SINUMERIK CNC machine tools (including 828D, 840D sl, MC, and ONE series controllers) used in metalworking, automotive, aerospace, and precision manufacturing are affected. Any shop with VNC-enabled SINUMERIK controllers is at risk of unauthorized remote access.

How it could be exploited

An attacker on the same network segment (or with network access to port 5900 or equivalent VNC port) can connect to the VNC server and bypass the password check due to improper authentication validation. This allows unauthenticated access to the machine operator interface, granting full remote control.

Prerequisites

Network access to the SINUMERIK controller's VNC port (default port 5900)
SINUMERIK controller running an affected firmware version
VNC service enabled on the controller

remotely exploitableno authentication requiredlow complexityaffects production control systemsunauthenticated VNC access

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

SINUMERIK 828D PPU.4<V4.95 SP54.95 SP5

SINUMERIK 828D PPU.5<V5.25 SP15.25 SP1

SINUMERIK 840D sl<V4.95 SP54.95 SP5

SINUMERIK MC<V1.25 SP11.25 SP1

SINUMERIK MC V1.15<V1.15 SP51.15 SP5

SINUMERIK ONE<V6.25 SP16.25 SP1

SINUMERIK ONE V6.15<V6.15 SP56.15 SP5

Remediation & Mitigation

0/9

Do now

0/2

WORKAROUNDRestrict network access to the SINUMERIK controller's VNC port to only authorized engineering workstations and personnel

HARDENINGDisable VNC remote access on SINUMERIK controllers if not required for operations

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

SINUMERIK 828D PPU.4

HOTFIXUpdate SINUMERIK 828D PPU.4 to firmware version 4.95 SP5 or later

SINUMERIK 828D PPU.5

HOTFIXUpdate SINUMERIK 828D PPU.5 to firmware version 5.25 SP1 or later

SINUMERIK 840D sl

HOTFIXUpdate SINUMERIK 840D sl to firmware version 4.95 SP5 or later

SINUMERIK MC

HOTFIXUpdate SINUMERIK MC to firmware version 1.25 SP1 or later

HOTFIXUpdate SINUMERIK MC V1.15 to firmware version 1.15 SP5 or later

SINUMERIK ONE

HOTFIXUpdate SINUMERIK ONE to firmware version 6.25 SP1 or later

HOTFIXUpdate SINUMERIK ONE V6.15 to firmware version 6.15 SP5 or later

CVEs (1)

CVE-2025-40743

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e9f8875d-5d35-444e-a221-256aa6211bfb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.