CVE-2025-40800

Summary

A vulnerability has been identified in COMOS V10.6 (All versions < V10.6.1), COMOS V10.6 (All versions < V10.6.1), NX V2412 (All versions < V2412.8700), NX V2506 (All versions < V2506.6000), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Solid Edge SE2025 (All versions < V225.0 Update 10), Solid Edge SE2026 (All versions < V226.0 Update 1). The IAM client in affected products is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack.

Affected Software

VendorProductVersion RangeStatus
SiemensCOMOS V10.60 < V10.6.1affected
SiemensCOMOS V10.60 < V10.6.1affected
SiemensNX V24120 < V2412.8700affected
SiemensNX V25060 < V2506.6000affected
SiemensSimcenter 3D0 < V2506.6000affected
SiemensSimcenter Femap0 < V2506.0002affected
SiemensSolid Edge SE20250 < V225.0 Update 10affected
SiemensSolid Edge SE20260 < V226.0 Update 1affected

Weaknesses

  • CWE-295: CWE-295: Improper Certificate Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References