Summary
Multiple Siemens applications are affected by improper certificate validation in Siemens Analytics Toolkit. This could allow an unauthenticated remote attacker to perform man in the middle attacks. Siemens has released new versions for the affected products and recommends to update to the latest versions.
The following versions of Siemens Analytics Toolkit are affected:
- Siemens Software Center vers:intdot/<3.5.8.2 (CVE-2025-40745)
- Simcenter 3D vers:intdot/<2506.6000 (CVE-2025-40745)
- Simcenter Femap vers:intdot/<2506.0002 (CVE-2025-40745)
- Simcenter STAR-CCM+ vers:intdot/<2602 (CVE-2025-40745)
- Solid Edge SE2025
- Solid Edge SE2026
- Tecnomatix Plant Simulation vers:intdot/<2504.0008 (CVE-2025-40745)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 3.7 | Siemens | Siemens Analytics Toolkit | Improper Certificate Validation |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Germany
Vulnerabilities
CVE-2025-40745
Affected applications do not properly validate client certificates to connect to Analytics Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks.
Affected Products
Siemens Analytics Toolkit
Siemens
Siemens Software Center, Simcenter 3D, Simcenter Femap, Simcenter STAR-CCM+, Solid Edge SE2025, Solid Edge SE2026, Tecnomatix Plant Simulation
known_affected
Remediations
Vendor fix
Update to V225.0 Update 13 or later version
https://support.sw.siemens.com/product/246738425/
Vendor fix
Update to V226.0 Update 04 or later version
https://support.sw.siemens.com/product/246738425/
Vendor fix
Update to V2504.0008 or later version
https://support.sw.siemens.com/product/297028302/
Vendor fix
Update to V2506.0002 or later version
https://support.sw.siemens.com/product/275652363/
Vendor fix
Update to V2506.6000 or later version
https://support.sw.siemens.com/product/289054037/
Vendor fix
Update to V2602 or later version
https://support.sw.siemens.com/product/226870983/
Vendor fix
Update to V3.5.8.2 or later version
https://www.sw.siemens.com/en-US/siemens-software-center/
Relevant CWE: CWE-295 Improper Certificate Validation
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Acknowledgments
- Siemens ProductCERT reported this vulnerability to CISA.
General Recommendations
As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to ope
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: