CVE-2025-40800
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2026-03-10

Assigner: Siemens AG

Description
A vulnerability has been identified in COMOS V10.6 (All versions < V10.6.1), COMOS V10.6 (All versions < V10.6.1), NX V2412 (All versions < V2412.8700), NX V2506 (All versions < V2506.6000), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Solid Edge SE2025 (All versions < V225.0 Update 10), Solid Edge SE2026 (All versions < V226.0 Update 1). The IAM client in affected products is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2026-03-10
Generated
2026-06-10
AI Q&A
2025-12-09
EPSS Evaluated
2026-06-09
NVD
CVE-2025-40800
EUVD
EUVD-2025-201929
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
siemens simcenter_3d *
siemens solid_edge se2026
siemens simcenter_femap *
siemens nx 2412
siemens solid_edge se2025
siemens nx 2506
siemens comos 10.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in several Siemens products where the IAM client does not validate the server certificate when establishing TLS connections to the authorization server. This lack of validation can allow an attacker to perform a man-in-the-middle (MITM) attack, intercepting or altering communications between the client and server.

Impact Analysis

The vulnerability can allow an attacker to intercept or manipulate sensitive data exchanged between the client and the authorization server through a man-in-the-middle attack. This could lead to unauthorized access, data breaches, or compromise of authentication processes in the affected Siemens products.

Compliance Impact

The provided resources do not explicitly discuss the impact of CVE-2025-40800 on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows man-in-the-middle attacks that could compromise confidentiality and integrity of communications, it may pose risks to data protection and privacy requirements under such regulations. Siemens recommends applying updates and security measures to mitigate these risks, which is important for maintaining compliance. No direct statements about compliance impact are given. [1, 2]

Mitigation Strategies

To mitigate CVE-2025-40800, immediately update affected Siemens products to the latest available versions where fixes exist (e.g., NX V2412.8700 or later, NX V2506.6000 or later, Simcenter 3D V2506.6000 or later, Simcenter Femap V2506.0002 or later, Solid Edge SE2025 V225.0 Update 10 or later, Solid Edge SE2026 V226.0 Update 1 or later). For COMOS V10.6, no fix is currently available, so apply general security measures such as restricting network access to affected devices and configuring operational environments according to Siemens' Industrial Security guidelines. Refer to Siemens’ product manuals and security advisories for detailed configuration and mitigation steps, and contact Siemens ProductCERT for further assistance. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40800. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart