CVE-2025-25266: 
Siemens Tecnomatix Plant Simulation vulnerability analysis and mitigation

A vulnerability (CVE-2025-25266) has been identified in Siemens Tecnomatix Plant Simulation V2302 (versions before V2302.0021) and V2404 (versions before V2404.0010). The vulnerability was disclosed on March 11, 2025, and involves improper access control that affects the file deletion functionality of the application (Siemens Advisory, NVD).

The vulnerability is classified as CWE-552 (Files or Directories Accessible to External Parties). It has received a CVSS v3.1 base score of 6.8 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L, and a CVSS v4.0 base score of 7.0 (High) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N (CISA, Siemens Advisory).

The vulnerability allows an unauthorized attacker to delete files even when access to the system should be prohibited, potentially resulting in data loss or unauthorized modification of system files. The attack requires local access to the system (Siemens Advisory).

Siemens has released updates to address this vulnerability. Users of Tecnomatix Plant Simulation V2302 should update to V2302.0021 or later, while users of V2404 should update to V2404.0010 or later. Additionally, Siemens recommends protecting network access to devices with appropriate mechanisms and configuring the environment according to Siemens' operational guidelines for Industrial Security (Siemens Advisory).