CVE-2025-40801 is a vulnerability identified in Siemens COMOS V10.6 (all versions prior to 10.6.1) and several other Siemens products including JT Bi-Directional Translator for STEP, NX V2412 and V2506 with Cloud Entitlement, Simcenter 3D, Simcenter Femap, Simcenter Studio, Simcenter System Architect, and Tecnomatix Plant Simulation. The root cause is improper certificate validation (CWE-295) within the SALT SDK, which is used by these products to establish TLS connections to Siemens authorization servers. Specifically, the SALT SDK does not validate the server's TLS certificate, allowing an attacker positioned on the network path to intercept and manipulate communications via a man-in-the-middle attack. This can lead to exposure or modification of sensitive data, unauthorized commands, or disruption of service. The vulnerability has a CVSS v3.1 score of 8.1, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, no privileges or user interaction required, but high attack complexity. Although no exploits are currently known in the wild, the vulnerability affects critical industrial and engineering software widely used in manufacturing, engineering design, and simulation environments. The lack of certificate validation undermines the fundamental security guarantees of TLS, making this a serious threat to organizations relying on these Siemens products for secure communications with cloud services or authorization servers.

The vulnerability poses a significant risk to organizations using affected Siemens products, particularly those in industrial, manufacturing, and engineering sectors. Successful exploitation could allow attackers to intercept sensitive data such as design files, intellectual property, or authorization tokens. Attackers could also manipulate communications to inject malicious commands or disrupt normal operations, potentially leading to operational downtime or compromised product integrity. Given the critical nature of these engineering and simulation tools, such disruptions could have cascading effects on production lines, supply chains, and product development cycles. The high CVSS score indicates severe impact on confidentiality, integrity, and availability. Since no authentication or user interaction is required, and the attack can be conducted remotely over the network, the threat surface is broad. Organizations with remote or cloud-connected deployments are particularly vulnerable. The absence of known exploits currently provides a window for proactive mitigation, but the risk of future exploitation remains high.

Organizations should immediately identify all instances of affected Siemens products, including COMOS V10.6 and related software with SALT SDK dependencies. The primary mitigation is to upgrade to the fixed versions: COMOS V10.6.1 or later, NX V2412.8900 or later, NX V2506.6000 or later, Simcenter 3D V2506.6000 or later, Simcenter Femap V2506.0002 or later, Simcenter Studio V2506.0001 or later, Simcenter System Architect V2506.0001 or later, and Tecnomatix Plant Simulation V2504.0007 or later. Until patches are applied, organizations should restrict network access to authorization servers to trusted networks only, implement network segmentation to isolate affected systems, and monitor network traffic for signs of man-in-the-middle activity such as unexpected TLS certificate anomalies or unusual traffic patterns. Employing network-level TLS interception detection tools and anomaly-based intrusion detection systems can help identify exploitation attempts. Additionally, organizations should review and harden their TLS configurations and consider deploying endpoint security solutions capable of detecting suspicious network behaviors. Coordination with Siemens support for guidance and updates is recommended. Finally, educating users about the risks of connecting to untrusted networks can reduce exposure.