CVE-2025-25266

A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). The affected application does not properly restrict access to the file deletion functionality. This could allow an unauthorized attacker to delete files even when access to the system should be prohibited, resulting in potential data loss or unauthorized modification of system files.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.5 / Impact : 4.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://cert-portal.siemens.com/productcert/html/ssa-507653.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:siemens:tecnomatix_plant_simulation::::::::
	cpe:2.3:a:siemens:tecnomatix_plant_simulation::::::::

History

23 Sep 2025, 15:28

Type	Values Removed	Values Added
First Time		Siemens Siemens tecnomatix Plant Simulation
Summary		(es) Se ha identificado una vulnerabilidad en Tecnomatix Plant Simulation V2302 (todas las versiones anteriores a V2302.0021) y Tecnomatix Plant Simulation V2404 (todas las versiones anteriores a V2404.0010). La aplicación afectada no restringe adecuadamente el acceso a la función de eliminación de archivos. Esto podría permitir que un atacante no autorizado elimine archivos incluso cuando el acceso al sistema debería estar prohibido, lo que podría provocar una posible pérdida de datos o una modificación no autorizada de los archivos del sistema.
CPE		cpe:2.3:a:siemens:tecnomatix_plant_simulation::::::::
References	~~() https://cert-portal.siemens.com/productcert/html/ssa-507653.html -~~	() https://cert-portal.siemens.com/productcert/html/ssa-507653.html - Vendor Advisory

11 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-11 10:15

Updated : 2025-09-23 15:28

NVD link : CVE-2025-25266

Mitre link : CVE-2025-25266

CVE.ORG link : CVE-2025-25266

JSON object : View

Products Affected

siemens

tecnomatix_plant_simulation

CWE

CWE-552

Files or Directories Accessible to External Parties

{"id": "CVE-2025-25266", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 2.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.0, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-11T10:15:17.850", "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-507653.html", "tags": ["Vendor Advisory"], "source": "productcert@siemens.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-552"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Tecnomatix Plant Simulation V2302 (All versions < V2302.0021), Tecnomatix Plant Simulation V2404 (All versions < V2404.0010). The affected application does not properly restrict access to the file deletion functionality.\r\nThis could allow an unauthorized attacker to delete files even when access to the system should be prohibited, resulting in potential data loss or unauthorized modification of system files."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Tecnomatix Plant Simulation V2302 (todas las versiones anteriores a V2302.0021) y Tecnomatix Plant Simulation V2404 (todas las versiones anteriores a V2404.0010). La aplicaci\u00f3n afectada no restringe adecuadamente el acceso a la funci\u00f3n de eliminaci\u00f3n de archivos. Esto podr\u00eda permitir que un atacante no autorizado elimine archivos incluso cuando el acceso al sistema deber\u00eda estar prohibido, lo que podr\u00eda provocar una posible p\u00e9rdida de datos o una modificaci\u00f3n no autorizada de los archivos del sistema."}], "lastModified": "2025-09-23T15:28:18.417", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:tecnomatix_plant_simulation:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1931FE09-570E-4D37-B732-1BF2D8893FEE", "versionEndExcluding": "2302.0021", "versionStartIncluding": "2302.0"}, {"criteria": "cpe:2.3:a:siemens:tecnomatix_plant_simulation:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8FCD6BE6-B2E7-4D13-8928-9F9B5A4DEDD4", "versionEndExcluding": "2404.0010", "versionStartIncluding": "2404.0"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}