search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Siemens Gridscale X Prepay username enumeration and account lock bypass vulnerability

Vulnerability Note VU#651499

Original Release Date: 2025-12-16 | Last Revised: 2025-12-16

Overview

Vulnerabilities have been identified in Siemens Gridscale X Prepay that allows unauthenticated username enumeration and enables an attacker to bypass account lock functionality. These issues may permit unauthorized access or prolonged access to protected resources, even after an account has been administratively locked.

Description

Siemens Gridscale X Prepay is a scalable energy management solution for utilities, integrating smart meters and customer payment options. The related vulnerabilities increase the risk of unauthorized actions, data exposure, or misuse of sensitive organizational resources.

CVE-2025-40806 Unauthenticated username enumeration. An attacker may determine the validity of usernames by a response code, allowing the attacker to determine whether a username is valid before authentication occurs. This exposure can facilitate targeted attacks by allowing an adversary to identify valid accounts before attempting further compromise.

CVE-2025-40807 Account lock bypass. An attacker can bypass the intended account lock protection by replaying or modifying previously captured valid responses. The issue appears related to session tokens that remain valid after logout or after an administrative account lock. Because these tokens do not expire immediately, an attacker with access to previously captured network responses can continue access the system despite the account being locked. This scenario is particularly concerning when the attacker is a former employee, insider, or anyone with prior authenticated access who may have retained network captured data or sessions artifacts.

Impact

The complete impact of this vulnerability is not yet known.

Solution

Siemens has released a new version of the Gridscale X Prepay and for version 4.2.1 and below, it is recommended to install the provided security update using the appropriates tools and procedures supplied with the product. Before deployment, all updates should be validated, and installed under the supervision of personnel with approved access within the target environment. As a general security practice, Siemens also advises protecting network access with suitable controls such as firewalls, network segmentation, and VPNs. Systems should be configured in accordance with Siemens' operational guidelines to ensure that the devices operate within a secure IT environment.

Acknowledgements

Thank you to the reporter, Kira The Raven Security. This document was written by Michael Bragg.

Vendor Information

651499
 
Expand all

Siemens Affected

Notified:  2025-06-12 Updated: 2025-12-16

Statement Date:   November 21, 2025

CVE-2025-40806 Affected
CVE-2025-40807 Affected

Vendor Statement

We have not received a statement from the vendor.


Other Information

CVE IDs: CVE-2025-40806 CVE-2025-40807
API URL: VINCE JSON | CSAF
Date Public: 2025-12-16
Date First Published: 2025-12-16
Date Last Updated: 2025-12-16 18:46 UTC
Document Revision: 1

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis