Siemens Gridscale X Prepay

Monitor6.3ICS-CERT ICSA-25-345-09Dec 9, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Gridscale X Prepay (versions before 4.2.1) contains two vulnerabilities: CWE-204 (observable discrepancy allowing username enumeration) and CWE-294 (authentication bypass in locked-out sessions). An attacker with valid credentials can enumerate valid usernames and bypass session lockouts intended to prevent brute-force attacks.

What this means

What could happen

An attacker with valid login credentials could enumerate usernames on the Gridscale X Prepay billing system and bypass session lockouts, potentially gaining unauthorized access to customer billing and meter data.

Who's at risk

Energy utilities using Siemens Gridscale X Prepay for customer billing and meter management. This impacts anyone responsible for protecting customer billing data and meter communications in municipal electric utilities and regional power authorities.

How it could be exploited

An attacker with network access to the Gridscale X Prepay device and valid credentials could send requests to enumerate valid usernames through the application, then exploit the session bypass flaw to maintain access even after account lockouts are triggered.

Prerequisites

Network access to Gridscale X Prepay device
Valid user credentials for at least one account
Knowledge of or ability to test usernames

remotely exploitablerequires valid credentialsaffects customer data systemslow EPSS score

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Gridscale X Prepay< 4.2.14.2.1

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDContact Siemens for specific workarounds or interim mitigations while patching

HARDENINGRestrict network access to Gridscale X Prepay with firewall rules; do not expose to the internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Gridscale X Prepay to version 4.2.1 or later

Long-term hardening

0/2

HARDENINGIsolate Gridscale X Prepay from business networks behind a firewall

HARDENINGImplement VPN for any required remote access to the device

CVEs (2)

CVE-2025-40806 CVE-2025-40807

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a49f3475-efd5-4344-bf34-a7de4192739e