Siemens SIMATIC Virtualization as a Service (SIVaaS)

Act Now9.1ICS-CERT ICSA-25-254-02Sep 9, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC Virtualization as a Service (SIVaaS) contains a vulnerability that exposes a network share without any authentication requirement. An attacker can access or modify sensitive data on the exposed share without providing valid credentials. The vulnerability affects all versions of SIVaaS and has no publicly available patch from Siemens.

What this means

What could happen

An attacker with network access to SIVaaS can read and modify sensitive data on exposed network shares without providing credentials, potentially compromising configuration, process data, or authentication information stored on the virtualization platform.

Who's at risk

Organizations running SIMATIC Virtualization as a Service (SIVaaS) for Siemens automation and control infrastructure are affected. This impacts utilities, manufacturers, and critical infrastructure operators who rely on SIVaaS for managing virtualized control system environments and process data.

How it could be exploited

An attacker scans the network for accessible SIVaaS instances, locates the unauthenticated network share, and connects to it using standard file-sharing protocols (SMB/CIFS) to browse, download, or modify files without needing valid credentials.

Prerequisites

Network access to SIVaaS host (port 445 for SMB or other file-sharing protocol)
SIVaaS instance deployed and network share enabled
No firewall rules blocking access to the share

remotely exploitableno authentication requiredlow complexityno patch availablehigh CVSS score (9.1)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

SIMATIC Virtualization as a Service (SIVaaS)All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HOTFIXContact Siemens Technical Support to obtain a fix for the unauthenticated network share exposure

WORKAROUNDRestrict network access to SIVaaS hosts using firewall rules; block incoming connections to file-sharing ports (445, 139, etc.) except from authorized engineering workstations

WORKAROUNDDisable the exposed network share if it is not required for operations; re-enable only when needed and with proper access controls

Mitigations - no patch available

0/2

SIMATIC Virtualization as a Service (SIVaaS) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment SIVaaS infrastructure on an isolated network separate from IT business systems and the internet

HARDENINGIf remote access to SIVaaS is required, use a VPN with up-to-date security patches and multi-factor authentication

CVEs (1)

CVE-2025-40804

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bd076bc7-0171-4059-a8dd-3c1a90ddf330