A single flawed backup script in Siemens' industrial location tracking software can hand an attacker full SYSTEM-level control of the underlying Windows server. That is the sobering reality of CVE-2025-40746, a critical improper input validation vulnerability disclosed on August 12, 2025, affecting SIMATIC RTLS Locating Manager versions prior to V3.2. Siemens and multiple vulnerability databases have assigned the flaw a CVSS v3.1 base score of 9.1 and a CVSS v4 base score of 9.4, underscoring the urgency for operators to patch and harden affected deployments immediately.

What is SIMATIC RTLS Locating Manager?

SIMATIC RTLS Locating Manager is the Windows-based server backbone of Siemens' real-time location system (RTLS) portfolio. It collects measurements from gateways stationed across a facility, computes the precise positions of tagged assets or personnel, and feeds that location data into warehouse management, manufacturing execution systems (MES), and analytics platforms. Deployed widely in critical manufacturing, logistics, and transportation environments, the software is a linchpin for operational visibility — and a high-value target for attackers.

The Vulnerability: CVE-2025-40746

At its core, CVE-2025-40746 is an improper input validation flaw (CWE-20) in an automated backup script used by the Locating Manager. According to Siemens' advisory and the NVD, the problematic script does not sufficiently sanitize input that an authenticated user with elevated application privileges can control. By crafting malicious input, an attacker can manipulate the backup process to execute arbitrary code in the security context of the Locating Manager's Windows service — specifically, as NT AUTHORITY\SYSTEM, the highest privilege level on a Windows machine.

This effectively turns a compromise of an application-level privileged account into a full host takeover. While remote code execution requires prior authentication with high privileges within the application, the attack vector is rated as network-accessible (AV:N), with low attack complexity (AC:L) and no user interaction needed (UI:N). The CVSS vectors reflect these conditions:

Metric CVSS v3.1 Value CVSS v4.0 Value
Attack Vector (AV) Network (N) Network (N)
Attack Complexity (AC) Low (L) Low (L)
Privileges Required (PR) High (H) High (H)
User Interaction (UI) None (N) None (N)
Scope (S) Changed (C) Changed (C) (impact metrics)
Confidentiality Impact (C) High (H) High (H)
Integrity Impact (I) High (H) High (H)
Availability Impact (A) High (H) High (H)
Base Score 9.1 9.4

How Bad Is It? CVSS Scores and Impact

The near-maximum CVSS scores signal that the vulnerability's impact on confidentiality, integrity, and availability is profound. A successful exploit allows an attacker to:

  • Disrupt location feeds and availability for dependent automation, AGVs, and logistics systems.
  • Modify or falsify positional data, potentially misdirecting forklifts, conveyor belts, or safety interlocks.
  • Harvest credentials and pivot laterally into integrated systems — MES, ERP, or identity stores — because RTLS admin accounts often carry broad integration privileges.

In short, a compromised Locating Manager can become a beachhead for a wider OT/IT breach.

Exploitation Prerequisites: Authentication Still Required

It is crucial to note that CVE-2025-40746 is not a zero-click, internet-wormable vulnerability. An attacker must already be authenticated to the Locating Manager application with high privileges. This prerequisite somewhat limits the attack surface, but in real-world deployments, those high-privilege accounts are often shared among multiple technicians, stored in scripts, or protected only by weak credential practices. The earlier forum analysis and Siemens' own notes on a related credential storage weakness (CVE-2025-40751) confirm that the ecosystem's historical handling of secrets creates pathways for privilege escalation that can make this authentication requirement less of a barrier.

Siemens republished a consolidated advisory in August 2025 (SSA-093430) that includes CVE-2025-40746 plus additional vulnerabilities:

  • CVE-2025-30034: A reachable assertion on a loopback listening port that can cause denial-of-service when triggered by a local process.
  • CVE-2025-40751: An insecure credential storage issue in Report Clients that can allow local credential extraction and privilege escalation to System administrator.

These flaws, while individually lower in severity, compound the risk. An attacker who first breaches an operator workstation could steal credentials using CVE-2025-40751 and then exploit CVE-2025-40746 to jump to SYSTEM on the central server. Siemens addressed the full set in version V3.3, though V3.2 remediates CVE-2025-40746 specifically. Operators should patch to the latest available release.

Siemens' Fix and Patching Guidance

Siemens has released updates that correct the input validation in the backup script. The official remediation for CVE-2025-40746 is upgrading to SIMATIC RTLS Locating Manager V3.2 or later. For complete coverage of all August 2025 disclosures, version V3.3 is recommended. The vendor advises testing patches in a staging environment before deploying to production due to the criticality of location services. No workarounds are provided that eliminate the vulnerability; network segmentation and strict access controls are compensatory measures only.

Administrators should note that CISA has archived the initial advisory (ICSA-25-226-13) and no longer provides continuous updates for Siemens products; Siemens ProductCERT remains the authoritative source for patches and guidance.

Mitigation for Those Who Can't Patch Immediately

For organizations bound by operational constraints that delay patching, immediate defensive measures are essential:

  • Remove any internet exposure: Locating Manager interfaces must never be reachable from the public internet. Place all RTLS hosts behind OT/DMZ firewalls with strict allowlisting.
  • Harden the Windows host: Enforce least privilege, disable unnecessary services, restrict interactive logons, and apply all OS security updates.
  • Rotate all credentials: Change passwords for RTLS application accounts, service accounts, and any stored credentials in Report Clients. Migrate to managed secrets vaults where possible.
  • Segment network access: Use VLANs and micro-segmentation to isolate RTLS servers from general IT workstations and less-trusted zones.
  • Implement monitoring and detection: Enable Windows process audit logging (including command-line arguments), object access auditing, and PowerShell logging. Forward logs to a SIEM and create alerts for anomalous activity around the Locating Manager service and backup scripts.

Detection Guidance: Signs of Compromise

Specific indicators can alert defenders to exploitation attempts or successful compromise:

  • Unexpected child processes spawned by the backup script binary or the main Locating Manager service.
  • Creation or modification of scheduled tasks that execute backup or maintenance commands.
  • Sudden restarts or crashes of the Locating Manager service — possibly due to exploitation of the loopback DoS (CVE-2025-30034).
  • Outbound network connections from the RTLS host to unknown or cloud storage endpoints, suggesting data exfiltration.
  • Access to privileged RTLS API endpoints from non-whitelisted workstations.

Collecting Windows Security Event Logs (event IDs 4688 for process creation, 5145 for network share access, etc.), along with file integrity monitoring, allows for rapid anomaly detection.

The Bigger Picture: OT/IT Convergence Risks

This vulnerability highlights a recurring tension in industrial environments: location systems that once ran on air-gapped, proprietary hardware are now Windows-based servers deeply integrated with enterprise IT. The SIMATIC RTLS Locating Manager exemplifies this convergence, and its compromise can ripple across both operational and informational domains. The forum analysis rightly points out that a single compromised host can falsify location data, halt AGV fleets, or serve as a pivot to MES databases. Security teams must treat RTLS infrastructure with the same rigor as domain controllers or SCADA HMIs.

Long-Term Recommendations

Beyond the immediate patch, owners of Siemens RTLS deployments should adopt a hardening stance that anticipates these classes of vulnerabilities:

  • Secrets management: Move away from file-based credential storage. Use Windows Credential Guard, Azure Key Vault, or similar enterprise vaults. Rotate service account passwords frequently and enforce least privilege for integration accounts.
  • Network architecture: Implement true micro-segmentation. Place Locating Manager in a dedicated, hardened VLAN with inbound and outbound traffic restricted to only necessary systems. Prohibit direct access from operator workstations unless strictly required and monitored.
  • Lifecycle management: Subscribe to Siemens ProductCERT alerts and integrate them into your patch management process. Maintain a software bill of materials (SBOM) for RTLS components to quickly scope new advisories.
  • Vendor accountability: Require secure defaults in procurement — encrypted communications, signed updates, and hardened installers. If a vendor ships components with local trust assumptions or insecure defaults, negotiate contractual requirements for timely remediation.

Immediate Action Checklist

  1. Inventory: List all RTLS hosts, report clients, and operator consoles; capture versions and SKUs.
  2. Patch: Test and deploy Siemens ProductCERT updates (V3.2 or later for CVE-2025-40746; ensure any follow-on advisories are applied).
  3. Isolate: Confirm no Locating Manager endpoints are reachable from the internet and restrict lateral movement with allowlists.
  4. Rotate secrets: Change and re-protect any credentials stored or used by Report Clients, operator consoles, and integration accounts.
  5. Monitor: Enable Windows process, event, and file integrity logging and centralize logs for detection.
  6. Test: Perform offline exploit simulation in an isolated lab to validate remediation and detections; ensure rollback plans are in place.

Conclusion

CVE-2025-40746 is a critical wake-up call for operators of Siemens' SIMATIC RTLS Locating Manager. A single input validation oversight in a backup script can hand an attacker the keys to the kingdom — SYSTEM access on a server that underpins physical operations. With patches available from V3.2 onward and a consolidated V3.3 that mops up companion flaws, the path to safety is clear: patch, isolate, rotate secrets, and monitor. The forum community's detailed analysis and the vendor's official advisory both converge on the same point: treat RTLS security as front-line defense, not an afterthought, because in a converged OT/IT world, a location server is a control server.