CVE-2025-40937
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-10
Assigner: Siemens AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| siemens | simatic_cn_4100 | * |
| siemens | simatic_cn_4100_firmware | to 4.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in SIMATIC CN 4100 versions prior to V4.0.1, where the application does not properly validate input parameters in its REST API. This improper handling of unexpected arguments can allow an authenticated attacker to execute arbitrary code with limited privileges.
How can this vulnerability impact me? :
An authenticated attacker could exploit this vulnerability to execute arbitrary code on the affected system with limited privileges, potentially leading to unauthorized actions, data compromise, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update SIMATIC CN 4100 to version V4.0.1 or later. Additionally, protect network access to the devices and follow Siemens' operational guidelines for Industrial Security. [1]