CVE-2025-40939

Description

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected device contains a USB port which allows unauthenticated connections. This could allow an attacker with physical access to the device to trigger reboot that could cause denial of service condition.

CVSS Details

CVSS Score

4.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:siemens:simatic_cn_4100_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:siemens:simatic_cn_4100:-:*:*:*:*:*:*:* - NOT VULNERABLE

SIMATIC CN 4100 < V4.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2025-40939 PoC - SIMATIC CN 4100 USB DoS Trigger
# Description: Physical access to USB port can trigger device reboot causing DoS
# Note: This PoC simulates the attack concept for educational purposes only

# Check if running on appropriate system with USB access
if [ ! -d "/dev/bus/usb" ]; then
    echo "[-] USB bus not accessible"
    exit 1
fi

# Target device identification
TARGET_VENDOR="Siemens"
TARGET_PRODUCT="SIMATIC CN 4100"

# USB device enumeration
USB_DEVICES=$(ls -la /dev/bus/usb/ 2>/dev/null)
echo "[*] Enumerating USB devices..."
echo "$USB_DEVICES"

# Note: Actual exploitation requires physical access to the device
# and specific knowledge of the USB protocol used by SIMATIC CN 4100

# Simulated attack sequence
echo "[*] CVE-2025-40939 Attack Simulation"
echo "[*] Target: $TARGET_PRODUCT"
echo "[*] Attack Vector: Physical USB Access"
echo "[*] Impact: Device Reboot -> Denial of Service"

# Attack would involve:
# 1. Physical connection to USB port
# 2. Sending malicious USB commands to trigger reboot
# 3. Device enters DoS state

echo "[!] This is a simulated PoC for CVE-2025-40939"
echo "[!] Physical access to target device is required"
echo "[!] Use only in authorized testing environments"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-40939
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-40939
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-40939/
[4] VulDB https://vuldb.com/cve/CVE-2025-40939
[5] https://cert-portal.siemens.com/productcert/html/ssa-416652.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-40939", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:47.617", "lastModified": "2025-12-16T17:30:28.147", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected device contains a USB port which allows unauthenticated connections. This could allow an attacker with physical access to the device to trigger reboot that could cause denial of service condition."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:siemens:simatic_cn_4100_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.1", "matchCriteriaId": "FF07D3DA-F412-4FBF-BB1B-3C889F74509E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:siemens:simatic_cn_4100:-:*:*:*:*:*:*:*", "matchCriteriaId": "92619F5F-3679-4424-9455-3285FF1EF2F1"}]}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-416652.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}