CISA alerts on Siemens Gridscale X Prepay vulnerabilities

Siemens Gridscale X Prepay contains vulnerabilities that allow unauthenticated username enumeration and permit bypassing account lock controls, which can result in unauthorized or continued access to protected resources even after an account has been administratively locked.

The issues are tracked as CVE-2025-40806 and CVE-2025-40807 and affect Siemens Gridscale X Prepay including versions 4.2.1 and below. CVE-2025-40806 enables unauthenticated username enumeration by revealing username validity through a response code prior to authentication. CVE-2025-40807 enables account lock bypass by replaying or modifying previously captured valid responses; the flaw appears related to session tokens that remain valid after logout or after an administrative account lock, and because those tokens do not expire immediately an attacker with previously captured network responses can continue access despite the account being locked, a scenario noted as particularly relevant for former employees, insiders, or anyone with prior authenticated access who may have retained network-captured data or session artifacts.

These vulnerabilities may permit unauthorized access or prolonged access to protected resources, even after an account has been administratively locked. The complete impact of this vulnerability is not yet known.

Siemens released a new version of Gridscale X Prepay and for version 4.2.1 and below recommends installing the provided security update using the appropriate tools and procedures supplied with the product. Before deployment, all updates should be validated and installed under the supervision of personnel with approved access within the target environment.

The vendor also advises protecting network access with controls such as firewalls, network segmentation, and VPNs, and configuring systems in accordance with Siemens' operational guidelines so the devices operate within a secure IT environment.