Man-in-the-Middle Vulnerability in Siemens COMOS and NX Products
CVE-2025-40800

9.1CRITICAL

Key Information:

Vendor: Siemens
Status: Comos V10.6; Nx V2412; Nx V2506; Simcenter 3d
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-40800?

A significant security flaw has been detected in several Siemens products, where the IAM client fails to validate server certificates during TLS connections to the authorization server. This lack of validation can potentially allow attackers to intercept and manipulate communication between the client and server, making it vulnerable to man-in-the-middle attacks. Users of affected versions must take immediate action to mitigate potential risks associated with this vulnerability.

Affected Version(s)

COMOS V10.6 0

NX V2412 0

References

https://cert-portal.siemens.com/productcert/html/ssa-8685...

https://cert-portal.siemens.com/productcert/html/ssa-2129...

CVSS V4

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Apr 16, 2025

JSON