CVE-2025-40587 is a stored cross-site scripting (XSS) vulnerability identified in Siemens Polarion versions prior to V2404.5 and V2410.2. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically allowing arbitrary JavaScript code injection into document titles. An authenticated remote attacker can craft malicious document titles containing JavaScript payloads that execute in the browsers of other users who view these documents. This stored XSS can lead to the theft of sensitive information such as session cookies, enabling session hijacking, or can be used to perform actions on behalf of the victim user within the application context. The vulnerability requires the attacker to have valid credentials and for the victim to interact by viewing the malicious document title, which limits the attack surface but still poses a significant risk in collaborative environments. The CVSS 3.1 base score of 7.6 reflects a high severity due to network attack vector, low attack complexity, required privileges, and user interaction, with high confidentiality impact and limited integrity impact. No public exploits are known yet, but the vulnerability is published and should be considered a priority for remediation. Siemens has not yet provided patch links, so organizations must monitor for updates or apply interim mitigations.

For European organizations, this vulnerability poses a considerable risk to confidentiality and user trust within collaborative engineering and product lifecycle management environments that use Siemens Polarion. Exploitation could lead to unauthorized disclosure of sensitive project data, session hijacking, and potential lateral movement within corporate networks. Given the collaborative nature of Polarion, malicious scripts could propagate among users, amplifying the impact. Industrial, manufacturing, and engineering firms relying on Siemens software are particularly at risk, as compromised project data could affect intellectual property and operational security. The requirement for authentication limits exposure to internal or partner users, but insider threats or compromised credentials could facilitate exploitation. The vulnerability does not affect availability but could undermine data integrity indirectly through session compromise. European organizations must consider the potential regulatory implications under GDPR if personal data is exposed via XSS attacks.

1. Apply official Siemens patches immediately once released for versions prior to V2404.5 and V2410.2. 2. Until patches are available, restrict user permissions to limit who can create or edit document titles, minimizing the risk of malicious input. 3. Implement strict input validation and sanitization on document titles to neutralize script injection vectors. 4. Deploy Content Security Policy (CSP) headers to restrict execution of inline scripts and reduce XSS impact. 5. Educate users to be cautious when viewing documents from less trusted collaborators. 6. Monitor logs for unusual activity related to document title changes or user sessions. 7. Consider network segmentation to limit access to Polarion environments. 8. Enforce strong authentication mechanisms and monitor for compromised credentials to reduce attacker foothold. 9. Regularly review and update security configurations of the Polarion platform.