CVE-2025-40800

HIGH

COMOS V10.6- Simcenter Femap - SSL/TLS Validation

Title source: llm

Description

A vulnerability has been identified in COMOS V10.6 (All versions < V10.6.1), COMOS V10.6 (All versions < V10.6.1), NX V2412 (All versions < V2412.8700), NX V2506 (All versions < V2506.6000), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Solid Edge SE2025 (All versions < V225.0 Update 10), Solid Edge SE2026 (All versions < V226.0 Update 1). The IAM client in affected products is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack.

References (2)

[Vendor Advisory] https://cert-portal.siemens.com/productcert/html/ssa-212953.html

[Vendor Advisory] https://cert-portal.siemens.com/productcert/html/ssa-868571.html

Scores

CVSS v3 7.4

EPSS 0.0003

EPSS Percentile 7.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-295

Status published

Products (7)

Siemens/COMOS V10.6 < V10.6.1

Siemens/NX V2412 < V2412.8700

Siemens/NX V2506 < V2506.6000

Siemens/Simcenter 3D < V2506.6000

Siemens/Simcenter Femap < V2506.0002

Siemens/Solid Edge SE2025 < V225.0 Update 10

Siemens/Solid Edge SE2026 < V226.0 Update 1

Published Dec 09, 2025

Tracked Since Feb 18, 2026