Multiple Vulnerabilities in SiPass integrated

Plan Patch8.8SSA-599451Oct 14, 2025

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SiPass integrated contains multiple vulnerabilities including buffer overflow (CWE-119), cross-site scripting (CWE-79), credential exposure (CWE-639), and weak password storage (CWE-257). These flaws allow unauthenticated remote attackers to exploit user accounts, manipulate access control data, impersonate users, or execute arbitrary code on the SiPass integrated server. The affected versions are V2.95 before 2.95.3.23 and V3.0 before the 3.0 patch release.

What this means

What could happen

An attacker could gain unauthorized access to user accounts, modify access control data, impersonate legitimate users, or execute arbitrary code on the SiPass integrated server that manages building access credentials and permissions.

Who's at risk

Physical access control system operators, facility managers, and security personnel relying on SiPass integrated for building access management and visitor credential tracking. This affects any organization using Siemens SiPass integrated for access control, including government buildings, corporate facilities, and critical infrastructure sites.

How it could be exploited

An unauthenticated attacker with network access to the SiPass integrated server could exploit one or more of the vulnerabilities (buffer overflow, cross-site scripting, credential exposure, or weak password storage) to gain access to user accounts, manipulate access control records, or execute commands on the server.

Prerequisites

Network access to SiPass integrated server
No authentication credentials required
Server must be exposed to attacker's network segment

Remotely exploitableNo authentication requiredLow complexityAffects access control systemsMultiple vulnerability types (code execution, data manipulation, authentication bypass)

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SiPass integrated V2.95< 2.95.3.232.95.3.23

SiPass integrated< 3.03.0

Remediation & Mitigation

0/2

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SiPass integrated V2.95

HOTFIXUpdate SiPass integrated V2.95 to version 2.95.3.23 or later

SiPass integrated

HOTFIXUpdate SiPass integrated to version 3.0 or later

CVEs (4)

CVE-2023-35002 CVE-2025-40772 CVE-2025-40773 CVE-2025-40774

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/011770e8-5a50-4c1c-8e3f-f73919a24623