CVE-2025-40800 PUBLISHED

Assigner: siemens
Reserved: 16.04.2025 Published: 09.12.2025 Updated: 09.12.2025

A vulnerability has been identified in COMOS V10.6 (All versions), COMOS V10.6 (All versions), NX V2412 (All versions < V2412.8700), NX V2506 (All versions < V2506.6000), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Solid Edge SE2025 (All versions < V225.0 Update 10), Solid Edge SE2026 (All versions < V226.0 Update 1). The IAM client in affected products is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 9.1

Product Status

Vendor Siemens
Product COMOS V10.6
Versions Default: unknown
  • affected from 0 to * (excl.)
Vendor Siemens
Product COMOS V10.6
Versions Default: unknown
  • affected from 0 to * (excl.)
Vendor Siemens
Product NX V2412
Versions Default: unknown
  • affected from 0 to V2412.8700 (excl.)
Vendor Siemens
Product NX V2506
Versions Default: unknown
  • affected from 0 to V2506.6000 (excl.)
Vendor Siemens
Product Simcenter 3D
Versions Default: unknown
  • affected from 0 to V2506.6000 (excl.)
Vendor Siemens
Product Simcenter Femap
Versions Default: unknown
  • affected from 0 to V2506.0002 (excl.)
Vendor Siemens
Product Solid Edge SE2025
Versions Default: unknown
  • affected from 0 to V225.0 Update 10 (excl.)
Vendor Siemens
Product Solid Edge SE2026
Versions Default: unknown
  • affected from 0 to V226.0 Update 1 (excl.)

References

Problem Types

  • CWE-295: Improper Certificate Validation CWE