Full Report
Multiple Siemens products are affected by improper certificate validation in IAM Client. This could allow an unauthenticated remote attacker to perform man in the middle attacks. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Missing Server Certificate Validation in Siemens IAM Client
## CVE Details
- **CVE ID:** CVE-2025-40800
- **CVSS Score:**
- CVSS v4.0: **9.1 (Critical)**
- CVSS v3.1: **7.4 (High)**
- **CWE:** CWE-295: Improper Certificate Validation
## Affected Systems
- **Products:** Various Siemens engineering and design software products utilizing the IAM (Identity and Access Management) Client.
- **Versions:**
- **COMOS V10.6:** All versions
- **NX V2412:** All versions < V2412.8700
- **NX V2506:** All versions < V2506.6000
- **Simcenter 3D:** All versions < V2506.6000
- **Simcenter Femap:** All versions < V2506.0002
- **Solid Edge SE2025:** All versions < V225.0 Update 10
- **Solid Edge SE2026:** All versions < V226.0 Update 1
- **Configurations:** Systems where the IAM client establishes TLS connections to an authorization server for authentication/licensing.
## Vulnerability Description
The IAM client integrated into affected Siemens products fails to properly validate the server certificate during the establishment of TLS connections to the authorization server. Because the client does not verify the authenticity of the server's certificate, it cannot distinguish between the legitimate authorization server and a malicious entity.
## Exploitation
- **Status:** No reports of exploitation in the wild at this time; no public PoC currently listed.
- **Complexity:** Low (CVSS 4.0 Assessment) to High (CVSS 3.1 Assessment). The attacker must position themselves between the client and the server.
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Attacker can decrypt sensitive transmission data)
- **Integrity:** High (Attacker can modify data in transit)
- **Availability:** None/Low
## Remediation
### Patches
Siemens has released the following updates to address this vulnerability:
- **NX V2412:** Update to V2412.8700 or later
- **NX V2506:** Update to V2506.6000 or later
- **Simcenter 3D:** Update to V2506.6000 or later
- **Simcenter Femap:** Update to V2506.0002 or later
- **Solid Edge SE2025:** Update to V225.0 Update 10 or later
- **Solid Edge SE2026:** Update to V226.0 Update 1 or later
*Note: For COMOS V10.6, no fix is currently available; users should monitor for future updates.*
### Workarounds
- Protect network access to vulnerable devices with appropriate security mechanisms (e.g., VPNs, firewalls).
- Ensure the environment is configured according to Siemens’ operational guidelines for Industrial Security.
- Segregate the authorization traffic into a trusted network segment to minimize the risk of MitM positioning.
## Detection
- **Indicators of Compromise:** Unusual network traffic patterns between IAM clients and authorization servers; presence of self-signed or unexpected certificates in network logs.
- **Detection methods and tools:** Monitoring TLS handshakes via Network Intrusion Detection Systems (NIDS) to verify certificate validation failures or the use of untrusted certificates.
## References
- **Vendor Advisory:** [https://cert-portal.siemens.com/productcert/html/ssa-868571.html]
- **Siemens Operational Guidelines:** [https://www.siemens.com/cert/operational-guidelines-industrial-security]
- **Siemens ProductCERT Advisories:** [https://www.siemens.com/cert/advisories]