CVE-2025-40800 Siemens CVE debrief

Who should care

Siemens COMOS administrators, OT/industrial system owners, and teams responsible for IAM, certificate trust, and TLS-protected authorization flows in affected environments.

Technical summary

The advisory describes a server-certificate validation failure in the IAM client during TLS setup to the authorization server. Because the client does not properly authenticate the server certificate, a network attacker can intercept or alter the TLS session and potentially influence authentication exchanges. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, rated 7.4 High.

Defensive priority

High. Prioritize remediation on any affected COMOS deployment because the issue undermines TLS trust on an authorization path and can expose confidentiality and integrity of authentication-related traffic.

Recommended defensive actions

• Update Siemens COMOS to V10.6.1 or later, as specified in the advisory.
• Inventory COMOS installations and confirm whether any affected product lines listed in the advisory are deployed.
• Treat the authorization-server TLS path as a priority remediation target and reduce unnecessary network exposure around that communication channel.
• Apply CISA ICS recommended practices and defense-in-depth guidance while remediation is underway.

Evidence notes

The source corpus is CISA CSAF advisory ICSA-26-043-03, which republishes Siemens ProductCERT SSA-212953. The advisory description explicitly states that the IAM client is missing server certificate validation while establishing TLS connections to the authorization server, and the remediation entry directs administrators to update to V10.6.1 or later. The supplied metadata lists COMOS V10.4, V10.4.5, V10.5, and V10.6 among the affected product names.

Official resources