PatchSiren cyber security CVE debrief
CVE-2025-40745 Siemens CVE debrief
CVE-2025-40745 was published on 2026-04-14 and republished by CISA on 2026-04-21 with Siemens ProductCERT material. The advisory states that affected applications do not properly validate client certificates when connecting to the Analytics Service endpoint. CISA describes the impact as enabling an unauthenticated remote attacker to perform man-in-the-middle attacks. Siemens provides fixed versions for multiple affected product lines, including Siemens Software Center, Simcenter 3D, Simcenter Femap, Simcenter STAR-CCM+, Solid Edge, and Tecnomatix Plant Simulation.
- Vendor
- Siemens
- Product
- Simcenter 3D
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-14
- Original CVE updated
- 2026-04-21
- Advisory published
- 2026-04-14
- Advisory updated
- 2026-04-21
Who should care
Security, IT, and engineering teams responsible for the affected Siemens products, especially environments that rely on Analytics Service connectivity and those managing patching for engineering workstations or OT-adjacent systems.
Technical summary
The issue is a client-certificate validation weakness on the Analytics Service endpoint, classified in the advisory as CWE-295. The supplied CVSS 3.1 vector is AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, which aligns with a network-reachable issue with limited confidentiality impact. Siemens’ remediation is version-based: update to the fixed release for each affected product family.
Defensive priority
Medium. The advisory rates the issue Low (CVSS 3.7), but it is unauthenticated, remotely reachable, and can enable man-in-the-middle attacks against affected application traffic. Patch exposed or widely deployed systems first.
Recommended defensive actions
- Inventory affected Siemens installations and confirm whether they use the Analytics Service endpoint.
- Upgrade to the vendor-fixed releases listed in the advisory: Siemens Software Center V3.5.8.2 or later; Simcenter 3D V2506.6000 or later; Simcenter Femap V2506.0002 or later; Simcenter STAR-CCM+ V2602 or later; Solid E
- dge SE2025 V225.0_Update_13 or later; Solid Edge SE2026 V226.0_Update_04 or later; Tecnomatix Plant Simulation V2504.0008 or later.
- Validate certificate and endpoint configuration after upgrading.
- If immediate patching is not possible, reduce exposure of affected systems and apply ICS defense-in-depth controls such as segmentation and monitoring.
- Use CISA recommended practices to support hardening, monitoring, and change control around engineering systems.
Evidence notes
This debrief is based on the supplied CISA CSAF advisory ICSA-26-111-04 and its republished Siemens ProductCERT advisory SSA-981622. The source text explicitly states improper client-certificate validation on the Analytics Service endpoint, possible unauthenticated remote man-in-the-middle attacks, and fixed-version guidance for the affected Siemens products. The supplied advisory also provides the CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N and CWE-295. No KEV entry is present in the supplied corpus.
Official resources
-
CVE-2025-40745 CVE record
CVE.org
-
CVE-2025-40745 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-26-111-04 on 2026-04-14 and republished it on 2026-04-21 with Siemens ProductCERT content. The supplied corpus does not include KEV listing information for this CVE.