Critical

Code Injection via Unsanitized Trace File Import in Siemens SIMATIC Devices

IdentifiersCVE-2025-40943CWE-74

CVE-2025-40943 affects multiple Siemens SIMATIC products, including SIMATIC Drive Controller CPU 1504D TF and 1507D TF, multiple SIMATIC ET 200SP CPU variants, SIMATIC ET 200SP Open Controller CPU 1515SP PC/PC2/PC3 variants, and SIMATIC S7-1500 devices. The vulnerability is caused by improper sanitization of the contents of trace files during import. A remote attacker can craft a malicious trace file containing injected code and, through social engineering, induce a legitimate user to import that file into an affected device or engineering environment. Successful exploitation results in code injection in the context of the trace file handling functionality.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to inject code by abusing the trace file import mechanism. Based on the provided information, this can compromise the integrity of the affected system or associated engineering workflow and may enable execution of attacker-controlled content in the context of the importing user or application. The attack requires user-assisted import of a specially crafted file rather than unauthenticated direct network exploitation.

Mitigation

If you can’t patch tonight, do this now.

Do not import trace files from untrusted or unauthenticated sources. Restrict who can provide trace files to operators and engineers, and validate file provenance before import. Reduce exposure to social engineering by training users who handle diagnostic or trace data. Where operationally feasible, perform trace file handling only on trusted workstations and within controlled administrative workflows until vendor fixes are applied.

Remediation

Patch, then assume compromise.

Apply the Siemens security updates referenced in the March 10, 2026 Siemens advisories, including SSA-452276, SSA-903736, and SSB-751527, as applicable to the affected product and version. The provided content indicates that some affected product lines are vulnerable in all versions, while others are affected only in versions prior to 4.1.2; upgrade to fixed versions identified by Siemens for each specific model.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cert ssiNews

Mar 10, 2026

Multiples vulnérabilités dans les produits Siemens - CERT-FR

One of multiple Siemens product vulnerabilities referenced in the notice; described as potentially enabling remote arbitrary code execution, data integrity impact, and/or indirect remote code injection (XSS) depending on the affected product/component.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-40943

NVD

nvd.nist.gov/vuln/detail/CVE-2025-40943

MITRE CWE · CWE-74

cwe.mitre.org

cert-portal.siemens.com

cert-portal.siemens.com/productcert/html/ssa-452276.html