SiPass Integrated: Urgent Patch to V3.0 for Four CVEs

Siemens has published a sweeping security advisory for SiPass integrated (all versions prior to V3.0) that catalogs four distinct vulnerabilities — including a high‑severity Accusoft ImageGear heap overflow and multiple web/application flaws — and urges immediate upgrades to V3.0 or later while confirming recommended operational mitigations for production environments.

Background / Overview​

Siemens ProductCERT’s advisory (SSA‑599451) identifies four CVEs affecting SiPass integrated versions earlier than V3.0: CVE‑2023‑35002 (a heap‑based buffer overflow in Accusoft ImageGear), and three SiPass‑specific issues disclosed in 2025 (stored XSS, an authorization bypass through a user‑controlled key, and recoverable password storage). Siemens’ remediation recommendation is simple and decisive: update SiPass integrated to V3.0 or later.
These findings follow a prior, related advisory (SSA‑992434) that documented a dangerous path‑traversal vulnerability in the DotNetZip library used by earlier SiPass releases (CVE‑2024‑48510), which Siemens patched in February 2025 for V2.90 and V2.95 branches. The DotNetZip issue remains a textbook example of the risks posed by legacy third‑party libraries embedded in operational technology.
Industry commentary and forum analysis have repeatedly emphasized that organizations must treat ICS/OT advisories with the same urgency as enterprise IT bulletins because compromised access control systems can provide lateral entry into business networks. These community analyses also stress practical constraints: patch windows in ICS are limited, and updates must be validated in operational contexts before deployment.

---

Executive summary of the technical findings​

• Affected product: SiPass integrated — All versions prior to V3.0 are affected by the 2025 Siemens advisory.
• High‑risk third‑party component: Accusoft ImageGear 20.1 (pictwread) — heap‑based buffer overflow (CVE‑2023‑35002). This can lead to arbitrary code execution if a specially crafted image is processed.
• Web/application flaws in SiPass integrated (all < V3.0):
• Stored Cross‑Site Scripting (XSS) — CVE‑2025‑40772. Allows injection of scripts that execute in other users’ browsers; risk includes session theft and impersonation.
• Authorization bypass through user‑controlled key — CVE‑2025‑40773. Broken access control allows some API requests to be executed without proper server‑side enforcement.
• Storing passwords in a recoverable format — CVE‑2025‑40774. Encrypted credentials can be decrypted by administrators who have access to the decryption keys, enabling password recovery and credential misuse.
• Immediate remediation: Update to SiPass integrated V3.0 or later (Siemens). If immediate update is impossible, implement access restrictions and operational mitigations as per Siemens and CISA guidance.

---

Deep technical breakdown​

CVE‑2023‑35002 — Image processing heap overflow (Accusoft ImageGear)​

CVE‑2023‑35002 is a heap‑based buffer overflow in the pictwread functionality of Accusoft ImageGear 20.1. A specially crafted image file can overflow internal buffers and enable arbitrary code execution when processed by a vulnerable library. The vulnerability is well documented in public vulnerability databases and third‑party research writeups; NVD and multiple vulnerability trackers show a high/critical severity for this issue.
Why it matters in SiPass: Image handling code paths are commonly used by access control systems for processing ID photos, scanned documents, or uploaded graphic assets. If SiPass integrated accepts or processes untrusted images — for example, during import or as part of a backup/restore workflow — the underlying ImageGear flaw becomes an execution vector. Siemens’ advisory therefore lists CVE‑2023‑35002 among the reasons to move to V3.0.
Technical mitigation (immediate):

• Block ingestion of untrusted image files into administrative consoles and service endpoints.
• Where feasible, disable or sandbox image processing functionality until systems are patched.
• Use network‑level controls to restrict which sources can upload files to the SiPass server.

These mitigations are practical stopgaps but not substitutes for applying the vendor patch. Multiple independent trackers (NVD, Positive Technologies / Talos references) corroborate the exploitability and severity of this CVE.

CVE‑2025‑40772 — Stored Cross‑Site Scripting (XSS)​

Stored XSS in server applications allows an attacker to persist malicious JavaScript (or other executable code) inside application data; subsequent users who view the affected page execute the payload in their browsers. Siemens classifies this as a high‑impact issue that can enable session theft, impersonation, and potential lateral privilege escalation inside the SiPass web interface. The CVSS v3.1 base score published by Siemens is 7.4, while Siemens’ CVSS v4 assessment places it around 7.0. Vendor and public CVE aggregators list similar severity observations.
Operational impact:

• Browser‑based admin/monitoring consoles are common attack targets because admin sessions often have elevated privileges.
• Stored XSS can be weaponized to inject administrative commands, harvest tokens, or deliver follow‑on payloads.

Practical mitigations:

• Patch to V3.0 immediately to remove the vulnerability.
• Enforce strict web application firewall (WAF) rules and input validation on any reverse proxies fronting SiPass.
• Harden browser usage for admin consoles (use isolated admin workstations; enable strict Content Security Policy where possible).

CVE‑2025‑40773 — Broken access control (authorization bypass)​

Siemens reports a broken access control issue where server‑side authorization checks are insufficient; certain API endpoints can be invoked based on attacker‑controlled keys or parameters. The computed CVSS v3.1 score for this is relatively low (3.5) but still meaningful because improper authorization can lead to data manipulation belonging to other users or to privilege abuse. Siemens’ advisory explains that the vulnerability allows execution of specific API requests without the expected server‑side enforcement.
Why a low CVSS score still matters:

• The real risk depends on the privileged actions reachable through the flawed endpoints and how exposure maps to an attacker’s network position.
• In ICS/OT contexts, even seemingly minor operations can have outsized operational consequences.

Short‑term controls:

• Apply least‑privilege principles for API credentials and tokens.
• Limit access to API endpoints by network controls and segmentation until the patch is applied.

CVE‑2025‑40774 — Recoverable passwords (sensitive credential storage)​

Siemens found that some server applications store passwords in an encrypted (but recoverable) format and that the decryption keys are reachable by users with administrative privileges. This effectively turns administrative accounts into a single‑point access to recover plain text credentials, increasing both insider risk and post‑compromise lateral movement risk. Siemens rates this issue at moderate severity by CVSS v3.1 (4.4) but the CVSS v4 assessment is higher (6.7), reflecting how these scoring models capture differing aspects of the threat.
Recommended response:

• Upgrade to V3.0 (where Siemens states the storage model is corrected).
• Rotate all stored credentials that were recoverable and force password resets for privileged accounts after remediation.
• Adopt hardware‑backed key management for encryption keys (HSMs or similar), and limit key access to a minimal service account that can’t be used as an interactive admin account.

---

Context: the DotNetZip path traversal (CVE‑2024‑48510) — a related history lesson​

Earlier in 2025, Siemens published SSA‑992434 documenting a directory traversal issue in DotNetZip (CVE‑2024‑48510) used by certain SiPass versions. That vulnerability could be exploited during a backup restore operation if a specially crafted backup set was used; Siemens patched affected V2.90 and V2.95 branches and strongly recommended update procedures and stricter restore controls. This incident illustrates two enduring lessons: (1) third‑party, legacy libraries embedded inside OT software are high‑value targets, and (2) backup/restore workflows are a surprisingly common and dangerous attack surface in OT systems.
Community and forum reporting reinforce this view: multiple WindowsForum posts and security analyses have urged organizations to treat backup file integrity and restore permissions with the highest priority when dealing with ICS devices.

---

Risk evaluation — what this means for operators and defenders​

Successful exploitation across these issues could allow unauthenticated or low‑privilege attackers to:

• Gain administrative or impersonated sessions via stored XSS or credential recovery.
• Execute arbitrary code on the SiPass application server by exploiting vulnerable image processing (CVE‑2023‑35002) or by leveraging previously patched third‑party components (CVE‑2024‑48510).
• Manipulate or exfiltrate access control data, potentially compromising physical security and enabling further lateral movement inside corporate networks.

From an ICS/OT risk perspective, the consequences are non‑linear: access control compromise can trigger physical access problems, enable sabotage, or allow attackers to bypass entry systems in facilities that serve critical functions. Forum analysts and incident response practitioners emphasize defense‑in‑depth because patching schedules in OT are often staggered and operationally constrained.
Caveat on exploitation: While Siemens and U.S. federal guidance have highlighted the issues and published mitigations, public reports of active exploitation for these specific CVEs are not widespread at the time of the advisory(s). Even so, the combination of low attack complexity for some issues and the prevalence of legacy components means defenders should assume active reconnaissance and exploit attempts are possible. Treat the lack of public exploit reports as a temporary state, not assurance of safety.

---

Recommended prioritized remediation plan (step‑by‑step)​

• Immediate action — patching (highest priority)
• Update all SiPass integrated instances to V3.0 or later as soon as a validated maintenance window is available. Siemens explicitly lists this action as the primary remediation.
• For V2.90 and V2.95 users who cannot immediately move to V3.0, ensure the February 2025 DotNetZip patch versions (V2.90.3.19 or V2.95.3.15) are applied where relevant.
• Short‑term compensating controls (if patching is delayed)
• Restrict restore operations to a small number of trusted administrators and log/monitor all restore actions.
• Block or sanitize uploads of image files and other binary content through front‑end proxies.
• Deploy WAF rules to detect and block typical stored XSS payload patterns and tighten cookie/session protections for admin interfaces.
• Hardening and prevention (medium term)
• Enforce network segmentation: isolate SiPass servers in a dedicated OT DMZ with strict firewall ACLs and no direct internet exposure.
• Implement strong key management for stored credentials; rotate keys and secrets after remediation.
• Enable multifactor authentication for all admin accounts and use dedicated, hardened admin workstations for management tasks.
• Detection and monitoring (ongoing)
• Add specific IDS/IPS signatures and host‑based monitoring for suspicious image processing behavior and unexpected child processes on SiPass servers.
• Capture and analyze web server logs for anomalous POSTs and input patterns indicative of stored XSS or API misuse.
• Incident response and recovery
• If compromise is suspected, assume credential exfiltration and rotate all affected passwords, certificates, and tokens.
• Maintain offline, verified backups and a tested restore plan that only uses trusted backup media; validate backups cryptographically before use.

---

Operational and governance recommendations​

• Treat ICS advisories like enterprise high‑priority patches: build an OT patch governance process that includes impact analysis, staged testing, and rapid deployment plans. Forum discussions highlight the difficulty of balancing uptime and security, and emphasize scheduled maintenance with rigorous validation.
• Inventory and third‑party‑component tracking: maintain an accurate software bill of materials (SBOM) for OT systems. The DotNetZip and ImageGear issues show why knowing embedded dependencies is crucial.
• Backup integrity: implement cryptographic signing and access control for backup sets and enforce strict provenance checks before any restore operation. In OT environments, a malicious or tampered backup is a realistic and damaging attack vector.
• Least privilege and role separation: limit the number of users with decryption key access or restore privileges. For credentials storage specifically, eliminate recoverable storage patterns in favor of one‑way salted hashing (where appropriate) and centralized secret management with strict auditing.

---

Strengths in Siemens’ response — and residual risks​

What Siemens did well:

• Siemens released a consolidated ProductCERT advisory (SSA‑599451) and provided a single remediation target: upgrade to V3.0 or later. Having a single, definitive upgrade path reduces ambiguity for operators.
• Siemens previously addressed a related DotNetZip issue (SSA‑992434) and provided concrete patch versions for affected branches, showing a consistent patching cadence and follow‑through on third‑party component fixes.

Remaining concerns and operational risks:

• OT patch windows and validation requirements mean that some operators will be unable to immediately deploy V3.0; that gap creates a period of elevated risk during which compensating controls must be effective. Forum analyses underscore this operational friction.
• The presence of recoverable passwords indicates a broader design shortcoming in credential management that requires more than a quick patch; it calls for architectural remediation and stronger key management practices.
• Legacy third‑party libraries (e.g., DotNetZip and ImageGear) embedded in OT products remain an ongoing supply‑chain exposure. Organizations must track and remediate these transitive risks continuously.

---

Final assessment and recommended posture​

This advisory is a serious, multi‑vector security event for SiPass integrated users. The combination of a high‑severity image‑processing overflow, stored XSS that targets administrative sessions, authorization bypass possibilities, and recoverable password storage amounts to a broad attack surface that can be exploited for both cyber and physical effects in access control environments. The vendor‑recommended remediation (update to V3.0) is clear and authoritative; organizations should prioritize testing and deployment of that update as their first and highest priority.
At the same time, defenders must implement layered compensating controls — restore restrictions, network segmentation, upload sanitization, WAF and IDS signatures, strict key management, and aggressive monitoring — to reduce risk during the inevitable patch window. Treat the advisory as both a technical fix and a governance exercise: inventory your OT SBOMs, secure backup processes, and review credential handling practices to prevent similar risks in future product lifecycles. Community guidance and incident post‑mortems reinforce that a mix of immediate patching and operational hardening is the correct defensive posture.

---

Quick checklist for SiPass integrated operators (actionable)​

• Update: Schedule and validate update to SiPass integrated V3.0 or later now.
• Backup hygiene: Only restore from cryptographically signed, verified backup images and restrict restore permissions to a minimal admin set.
• Block risky inputs: Prevent or sanitize image uploads until the ImageGear vector is mitigated.
• Harden access: Enforce MFA for admin users, use dedicated admin workstations, and isolate admin interfaces behind a VPN or jump host with strict logging.
• Rotate secrets: After patching, rotate any stored or recoverable credentials and rekey services where feasible.
• Monitor: Add logging/IDS rules for suspicious restore activity, unexpected image parsing failures, and anomalous web inputs.

---

Siemens’ advisory should be treated as an urgent operational priority: patch quickly where possible, harden environments immediately where patching must wait, and use this incident to close broader governance gaps around third‑party libraries, backup integrity, and credential management. The combined evidence from Siemens’ ProductCERT advisory and independent vulnerability trackers underscores both the technical severity and the practical mitigations — follow the vendor guidance, assume adversaries will probe these vectors, and harden until the entire environment is reconciled to a secure posture.

---

Source: CISA Siemens SiPass Integrated | CISA