CVE-2025-40801 Siemens CVE debrief

Who should care

Organizations running Siemens COMOS versions listed in the advisory, especially administrators and defenders responsible for authentication infrastructure, application connectivity, and patch management.

Technical summary

The issue is a TLS trust failure: the client-side SALT SDK does not properly validate the authorization server certificate during TLS setup. That means a network-positioned attacker may be able to intercept or alter the connection. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network reachability, no required privileges, and high potential impact.

Defensive priority

High. The flaw is network-reachable and can affect confidentiality, integrity, and availability, even though the attack complexity is rated high and the issue is not marked as KEV in the supplied data.

Recommended defensive actions

• Upgrade Siemens COMOS to V10.6.1 or later, per the supplied remediation.
• Review the Siemens and CISA advisory pages for version-specific fix guidance before scheduling maintenance.
• Verify whether any affected COMOS installations are using the vulnerable SALT SDK connection path to the authorization server.
• Prioritize patching exposed or externally reachable management and integration environments first.
• Apply defense-in-depth controls for industrial/OT environments, including segmented networks and monitoring for anomalous TLS or authorization traffic.

Evidence notes

The supplied CISA CSAF advisory ICSA-26-043-03 for Siemens COMOS states that the SALT SDK is missing server certificate validation while establishing TLS connections to the authorization server, which could allow a man-in-the-middle attack. The advisory was published on 2025-12-09 and later republished/updated, with the latest supplied modification timestamp of 2026-03-12. The remediation field specifies update to V10.6.1 or later. The supplied product/version data lists COMOS V10.4, V10.4.5, V10.5, and V10.6.

Official resources