1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SCALANCE LPE9403
- Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Improper Check for Dropped Privileges
2. RISK EVALUATION
The vulnerabilities identified in the Siemens SCALANCE LPE9403 pose significant risks to organizations utilizing this equipment. Successful exploitation of these vulnerabilities allows a remote attacker to execute arbitrary code, read and write arbitrary files, escalate privileges, or execute a limited set of binaries that are present on the filesystem. This could lead to unauthorized access to sensitive data, disruption of services, and potential control over critical infrastructure systems.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
- SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Versions prior to V4.0
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
Affected devices do not properly sanitize user input when creating new VXLAN configurations. This vulnerability allows an authenticated highly-privileged remote attacker to execute arbitrary code on the device. The CVE-2025-27392 has been assigned to this vulnerability, with a CVSS v3 base score of 7.2 and a CVSS v4 score of 8.6.
3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
This vulnerability is similar to the previous one, where affected devices do not properly sanitize user input when creating new users. This could also allow an authenticated highly-privileged remote attacker to execute arbitrary code on the device. The CVE-2025-27393 has been assigned, with a CVSS v3 base score of 7.2 and a CVSS v4 score of 8.6.
3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
Similar to the previous vulnerabilities, this issue arises when creating new SNMP users, allowing an authenticated highly-privileged remote attacker to execute arbitrary code. The CVE-2025-27394 has been assigned, with a CVSS v3 base score of 7.2 and a CVSS v4 score of 8.6.
3.2.4 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
This vulnerability allows an authenticated highly-privileged remote attacker to read and write arbitrary files due to improper limitations on the SFTP functionality. The CVE-2025-27395 has been assigned, with a CVSS v3 base score of 7.2 and a CVSS v4 score of 8.6.
3.2.5 IMPROPER CHECK FOR DROPPED PRIVILEGES CWE-273
This vulnerability allows an authenticated lowly-privileged remote attacker to escalate their privileges due to improper checks for dropped privileges. The CVE-2025-27396 has been assigned, with a CVSS v3 base score of 8.8 and a CVSS v4 score of 8.7.
3.2.6 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
This vulnerability allows an authenticated highly-privileged remote attacker to read and write arbitrary files in the filesystem, specifically if the malicious path ends with ‘log’. The CVE-2025-27397 has been assigned, with a CVSS v3 base score of 3.8 and a CVSS v4 score of 5.1.
3.2.7 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
This vulnerability allows an authenticated highly-privileged remote attacker to execute a limited set of binaries that are already present on the filesystem due to improper neutralization of special characters when interpreting user-controlled log paths. The CVE-2025-27398 has been assigned, with a CVSS v3 base score of 2.7 and a CVSS v4 score of 2.1.
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has identified specific workarounds and mitigations users can apply to reduce risk:
- SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Update to




