CVE-2025-40800
BaseFortify
Publication date: 2025-12-09
Last updated on: 2026-03-10
Assigner: Siemens AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| siemens | simcenter_3d | * |
| siemens | solid_edge | se2026 |
| siemens | simcenter_femap | * |
| siemens | nx | 2412 |
| siemens | solid_edge | se2025 |
| siemens | nx | 2506 |
| siemens | comos | 10.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of CVE-2025-40800 on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows man-in-the-middle attacks that could compromise confidentiality and integrity of communications, it may pose risks to data protection and privacy requirements under such regulations. Siemens recommends applying updates and security measures to mitigate these risks, which is important for maintaining compliance. No direct statements about compliance impact are given. [1, 2]
Can you explain this vulnerability to me?
This vulnerability exists in several Siemens products where the IAM client does not validate the server certificate when establishing TLS connections to the authorization server. This lack of validation can allow an attacker to perform a man-in-the-middle (MITM) attack, intercepting or altering communications between the client and server.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to intercept or manipulate sensitive data exchanged between the client and the authorization server through a man-in-the-middle attack. This could lead to unauthorized access, data breaches, or compromise of authentication processes in the affected Siemens products.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-40800, immediately update affected Siemens products to the latest available versions where fixes exist (e.g., NX V2412.8700 or later, NX V2506.6000 or later, Simcenter 3D V2506.6000 or later, Simcenter Femap V2506.0002 or later, Solid Edge SE2025 V225.0 Update 10 or later, Solid Edge SE2026 V226.0 Update 1 or later). For COMOS V10.6, no fix is currently available, so apply general security measures such as restricting network access to affected devices and configuring operational environments according to Siemens' Industrial Security guidelines. Refer to Siemensβ product manuals and security advisories for detailed configuration and mitigation steps, and contact Siemens ProductCERT for further assistance. [1, 2]