CVE-2025-40568 | THREATINT

Description

A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V3.2), SCALANCE XCH328 (6GK5328-4TS01-2EC2) (All versions < V3.2), SCALANCE XCM324 (6GK5324-8TS01-2AC2) (All versions < V3.2), SCALANCE XCM328 (6GK5328-4TS01-2AC2) (All versions < V3.2), SCALANCE XCM332 (6GK5332-0GA01-2AC2) (All versions < V3.2), SCALANCE XRH334 (24 V DC, 8xFO, CC) (6GK5334-2TS01-2ER3) (All versions < V3.2), SCALANCE XRM334 (230 V AC, 12xFO) (6GK5334-3TS01-3AR3) (All versions < V3.2), SCALANCE XRM334 (230 V AC, 8xFO) (6GK5334-2TS01-3AR3) (All versions < V3.2), SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-3AR3) (All versions < V3.2), SCALANCE XRM334 (24 V DC, 12xFO) (6GK5334-3TS01-2AR3) (All versions < V3.2), SCALANCE XRM334 (24 V DC, 8xFO) (6GK5334-2TS01-2AR3) (All versions < V3.2), SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-2AR3) (All versions < V3.2), SCALANCE XRM334 (2x230 V AC, 12xFO) (6GK5334-3TS01-4AR3) (All versions < V3.2), SCALANCE XRM334 (2x230 V AC, 8xFO) (6GK5334-2TS01-4AR3) (All versions < V3.2), SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+) (6GK5334-5TS01-4AR3) (All versions < V3.2). An internal session termination functionality in the web interface of affected products contains an incorrect authorization check vulnerability. This could allow an authenticated remote attacker with "guest" role to terminate legitimate users' sessions.

PUBLISHED Reserved 2025-04-16 | Published 2025-06-10 | Updated 2026-01-13 | Assigner siemens

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-863: Incorrect Authorization

Product status

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

Default status

unknown

Any version before V3.2

affected

References

cert-portal.siemens.com/productcert/html/ssa-693776.html

cve.org (CVE-2025-40568)

nvd.nist.gov (CVE-2025-40568)

Download JSON