CVE-2025-27494

Critical

Published: 11 March 2025

Published

11 March 2025

Modified

22 August 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0024 47.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27494 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Siemens Sipass Integrated Ac5102 \(Acc-G2\) Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the improper input sanitization in the pubkey REST API endpoint by enforcing comprehensive input validation to block command injection.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, such as upgrading to V6.4.9 or later, to correct the specific input validation vulnerability.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to limit the scope of damage from privilege escalation even if command injection occurs.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability enables command injection via a public-facing REST API endpoint (pubkey), allowing an authenticated admin to execute arbitrary commands as root, directly mapping to exploitation of public-facing applications and privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability has been identified in SiPass integrated AC5102 (ACC-G2) (All versions < V6.4.9), SiPass integrated ACC-AP (All versions < V6.4.9). Affected devices improperly sanitize input for the pubkey endpoint of the REST API. This could allow an authenticated remote…

administrator to escalate privileges by injecting arbitrary commands that are executed with root privileges.

Deeper analysisAI

CVE-2025-27494 is a vulnerability in SiPass integrated AC5102 (ACC-G2) and SiPass integrated ACC-AP, affecting all versions prior to V6.4.9. The flaw involves improper input sanitization in the pubkey endpoint of the REST API, classified under CWE-20 (Improper Input Validation). It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to network accessibility, low attack complexity, and high-impact scope changes.

An authenticated remote administrator can exploit this vulnerability over the network with no user interaction required. By sending crafted input to the pubkey endpoint, the attacker injects arbitrary commands that execute with root privileges, enabling privilege escalation from administrator to root and full device compromise, including high confidentiality, integrity, and availability impacts.

Siemens security advisory SSA-515903 provides details on the vulnerability and mitigation. Affected devices should be upgraded to version V6.4.9 or later, which addresses the input sanitization issue. Additional guidance is available at https://cert-portal.siemens.com/productcert/html/ssa-515903.html.