Cyber Resilience

CVE-2025-40942

HighLPE

Published: 13 January 2026

Published
13 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 4.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-40942 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Siemens Telecontrol Server Basic. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-40942 is a local privilege escalation vulnerability (CWE-250) affecting TeleControl Server Basic in all versions prior to V3.1.2.4. The flaw exists in the affected application and enables an attacker to execute arbitrary code with elevated privileges. It has a CVSS v3.1 base score of 8.8, rated as AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability with a change in scope.

Exploitation requires local access to the system and low privileges (PR:L), with low attack complexity and no user interaction needed. A successful attack allows the adversary to escalate privileges and run arbitrary code, potentially leading to full system compromise on the affected TeleControl Server Basic installation.

Mitigation details are provided in the Siemens Security Advisory SSA-192617, available at https://cert-portal.siemens.com/productcert/html/ssa-192617.html. Security practitioners should consult this advisory for patching instructions and additional recommendations.

EU & UK References

Vulnerability details

A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.4). Affected application contains a local privilege escalation vulnerability that could allow an attacker to run arbitrary code with elevated privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via software vulnerability enabling arbitrary code execution as root/admin.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-40765Same product: Siemens Telecontrol Server Basic
CVE-2025-40746Same vendor: Siemens
CVE-2025-27396Same vendor: Siemens
CVE-2024-21924Shared CWE-250
CVE-2026-1680Shared CWE-250
CVE-2025-36184Shared CWE-250
CVE-2025-22890Shared CWE-250
CVE-2025-27494Same vendor: Siemens
CVE-2026-25570Same vendor: Siemens
CVE-2025-13506Shared CWE-250

Affected Assets

siemens
telecontrol server basic
≤ 3.1.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the privilege escalation vulnerability by remediating the flaw through patching to TeleControl Server Basic V3.1.2.4 or later as specified in the Siemens advisory.

prevent

Enforces least privilege for users and processes, preventing low-privilege attackers from successfully escalating to elevated privileges via the vulnerability.

prevent

Enforces approved access control policies at the system level, limiting the ability of local low-privilege attackers to escalate privileges through the application's flaw.

References