Home

Description

A vulnerability has been identified in COMOS V10.6 (All versions), COMOS V10.6 (All versions), JT Bi-Directional Translator for STEP (All versions), NX V2412 (All versions < V2412.8900 with Cloud Entitlement (bundled as NX X)), NX V2506 (All versions < V2506.6000 with Cloud Entitlement (bundled as NX X)), Simcenter 3D (All versions < V2506.6000 with Cloud Entitlement (bundled as Simcenter X Mechanical)), Simcenter Femap (All versions < V2506.0002 with Cloud Entitlement (bundled as Simcenter X Mechanical)), Simcenter Studio (All versions), Simcenter System Architect (All versions), Tecnomatix Plant Simulation (All versions < V2504.0007). The SALT SDK is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack.

PUBLISHED Reserved 2025-04-16 | Published 2025-12-09 | Updated 2025-12-09 | Assigner siemens




HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-295: Improper Certificate Validation

Product status

Default status
unknown

Any version before *
affected

Default status
unknown

Any version before *
affected

Default status
unknown

Any version before *
affected

Default status
unknown

Any version before V2412.8900
affected

Default status
unknown

Any version before V2506.6000
affected

Default status
unknown

Any version before V2506.6000
affected

Default status
unknown

Any version before V2506.0002
affected

Default status
unknown

Any version before *
affected

Default status
unknown

Any version before *
affected

Default status
unknown

Any version before V2504.0007
affected

References

cert-portal.siemens.com/productcert/html/ssa-710408.html

cert-portal.siemens.com/productcert/html/ssa-212953.html

cve.org (CVE-2025-40801)

nvd.nist.gov (CVE-2025-40801)

Download JSON