Cyber Resilience

CVE-2025-27494

Critical

Published: 11 March 2025

Published
11 March 2025
Modified
22 August 2025
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 48.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27494 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Siemens Sipass Integrated Ac5102 \(Acc-G2\) Firmware. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-27494 is a vulnerability in SiPass integrated AC5102 (ACC-G2) and SiPass integrated ACC-AP, affecting all versions prior to V6.4.9. The flaw involves improper input sanitization in the pubkey endpoint of the REST API, classified under CWE-20 (Improper Input Validation). It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to network accessibility, low attack complexity, and high-impact scope changes.

An authenticated remote administrator can exploit this vulnerability over the network with no user interaction required. By sending crafted input to the pubkey endpoint, the attacker injects arbitrary commands that execute with root privileges, enabling privilege escalation from administrator to root and full device compromise, including high confidentiality, integrity, and availability impacts.

Siemens security advisory SSA-515903 provides details on the vulnerability and mitigation. Affected devices should be upgraded to version V6.4.9 or later, which addresses the input sanitization issue. Additional guidance is available at https://cert-portal.siemens.com/productcert/html/ssa-515903.html.

EU & UK References

Vulnerability details

A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.9), SiPass integrated ACC-AP (All versions < V6.4.9). Affected devices improperly sanitize input for the pubkey endpoint of the REST API. This could allow an authenticated remote…

more

administrator to escalate privileges by injecting arbitrary commands that are executed with root privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability enables command injection via a public-facing REST API endpoint (pubkey), allowing an authenticated admin to execute arbitrary commands as root, directly mapping to exploitation of public-facing applications and privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27493Same product: Siemens Sipass Integrated Ac5102 \(Acc-G2\)
CVE-2025-40746Same vendor: Siemens
CVE-2025-40738Same vendor: Siemens
CVE-2025-40737Same vendor: Siemens
CVE-2026-2750Shared CWE-20
CVE-2025-59886Shared CWE-20
CVE-2025-40735Same vendor: Siemens
CVE-2025-40795Same vendor: Siemens
CVE-2025-30213Shared CWE-20
CVE-2025-40942Same vendor: Siemens

Affected Assets

siemens
sipass integrated ac5102 \(acc-g2\) firmware
≤ 6.4.9
siemens
sipass integrated acc-ap firmware
≤ 6.4.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper input sanitization in the pubkey REST API endpoint by enforcing comprehensive input validation to block command injection.

prevent

Mandates timely flaw remediation, such as upgrading to V6.4.9 or later, to correct the specific input validation vulnerability.

prevent

Enforces least privilege to limit the scope of damage from privilege escalation even if command injection occurs.

References