OTPulse

Siemens SIMATIC Virtualization as a Service (SIVaaS)

Plan PatchCVSS 9.1ICS-CERT ICSA-25-254-02Sep 9, 2025
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIMATIC Virtualization as a Service (SIVaaS) exposes a network share without authentication, allowing an attacker with network access to read or modify sensitive data including engineering configurations and credentials. Siemens has no patch planned and recommends contacting technical support.

What this means
What could happen
An attacker without credentials could access or modify sensitive data on the SIVaaS network share, potentially exposing engineering configurations, credentials, or process data critical to your virtualized automation environment.
Who's at risk
Water and power utilities operating Siemens SIMATIC virtualization environments for automation control. Affects organizations using SIVaaS to host virtual PLCs, HMIs, or engineering workstations, particularly those exposed to less-trusted network segments or with internet-facing access.
How it could be exploited
An attacker with network access to SIVaaS can connect to an unauthenticated network share and read or write files directly. No credentials, user interaction, or engineering tools are required—the attacker simply maps the network share and accesses its contents.
Prerequisites
  • Network access (Layer 3) to the SIVaaS appliance or its network share
  • SIVaaS must be accessible from the attacker's network segment
remotely exploitableno authentication requiredlow complexityno patch availableaffects cloud/virtualization control platform
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (1)
ProductAffected VersionsFix Status
SIMATIC Virtualization as a Service (SIVaaS)All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRestrict network access to SIVaaS to only authorized IT and engineering networks using firewall rules; block all unnecessary inbound connections
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HARDENINGSegment SIVaaS from general business networks and isolate it behind a firewall with explicit allow policies
WORKAROUNDContact Siemens Technical Support to discuss remediation options since no vendor patch is planned
HARDENINGIf remote access to SIVaaS is required, require use of a VPN with strong authentication and keep the VPN appliance fully patched
View full CISA ICS-CERT advisory
API: /api/v1/advisories/bd076bc7-0171-4059-a8dd-3c1a90ddf330

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens SIMATIC Virtualization as a Service (SIVaaS) | CVSS 9.1 - OTPulse