Full Report
Multiple Siemens products are affected by improper certificate validation in Siemens Advanced Licensing (SALT) Toolkit. This could allow an unauthenticated remote attacker to perform man in the middle attacks. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Missing Server Certificate Validation in Siemens Advanced Licensing (SALT) Toolkit
## CVE Details
- **CVE ID:** CVE-2025-40801
- **CVSS Score:** 9.2 (Critical) - CVSS v4.0 / 8.1 (High) - CVSS v3.1
- **CWE:** CWE-295: Improper Certificate Validation
## Affected Systems
- **Products & Versions:**
- **NX V2412:** All versions < V2412.8900 (with Cloud Entitlement/NX X)
- **NX V2506:** All versions < V2506.6000 (with Cloud Entitlement/NX X)
- **Simcenter 3D:** All versions < V2506.6000 (with Simcenter X Mechanical)
- **Simcenter Femap:** All versions < V2506.0002 (with Simcenter X Mechanical)
- **Tecnomatix Plant Simulation:** All versions < V2504.0007
- **COMOS V10.6:** All versions
- **Simcenter Studio:** All versions
- **Simcenter System Architect:** All versions
- **JT Bi-Directional Translator for STEP:** All versions
- **Configurations:** Primarily impacts products using the SALT SDK for Cloud Entitlement or establishing TLS connections to authorization servers.
## Vulnerability Description
The Siemens Advanced Licensing (SALT) SDK fails to validate server certificates when establishing TLS connections to the authorization server. This flaw allows the application to accept any certificate presented by a peer, even if it is self-signed or issued for a different domain. Consequently, a remote attacker positioned between the client and the licensing server can intercept the traffic.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; no public PoC listed in the advisory.
- **Complexity:** Medium (High for v3.1) - Requires the attacker to be in a Man-in-the-Middle (MitM) position.
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Attacker can decrypt licensing communications and credentials).
- **Integrity:** High (Attacker can modify data transmitted between the client and server).
- **Availability:** High (Attacker can disrupt the licensing process).
## Remediation
### Patches
Siemens recommends updating to the following versions where available:
- **NX V2412:** Update to V2412.8900 or later.
- **NX V2506:** Update to V2506.6000 or later.
- **Simcenter 3D:** Update to V2506.6000 or later.
- **Simcenter Femap:** Update to V2506.0002 or later.
- **Tecnomatix Plant Simulation:** Update to V2504.0007 or later.
### Workarounds
For products where no fix is currently available (COMOS, Simcenter Studio/System Architect, JT Translator):
- Protect network access to devices using appropriate security mechanisms.
- Segment networks to ensure devices operate in a protected IT environment.
- Follow Siemens' operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise:** Monitor for unusual network redirects or unauthorized intercepting proxies between internal workstations and Siemens licensing/cloud entitlement endpoints.
- **Detection Methods:** Inspect network traffic for invalid or unexpected TLS certificates being presented during the licensing handshake.
## References
- **Vendor Advisory:** [https://cert-portal.siemens.com/productcert/pdf/ssa-710408.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-710408.pdf)
- **Siemens Industrial Security Guidelines:** [https://www.siemens.com/cert/operational-guidelines-industrial-security](https://www.siemens.com/cert/operational-guidelines-industrial-security)