CVE-2025-40566: Session Token Replay in SIMATIC PCS neo v4.1/5.0
CVE-2025-40566 Published on May 13, 2025
A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions < V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1). Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout.
Weakness Type
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Products Associated with CVE-2025-40566
Want to know whenever a new CVE is published for Siemens Simatic Pcs Neo? stack.watch will email you.
Affected Versions
Siemens SIMATIC PCS neo V4.1:- Before V4.1 Update 3 is affected.
- Before V5.0 Update 1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.