CVE-2025-40891 Siemens CVE debrief

Who should care

Operators and defenders responsible for Siemens RUGGEDCOM APE1808 deployments, especially teams that use the Time Machine Snapshot Diff feature and review snapshot comparisons in a browser. Security teams should also care because exploitation is unauthenticated, network-delivered, and depends on later user interaction.

Technical summary

The source advisory describes a stored HTML injection in snapshot-diff processing caused by improper validation of network traffic data. An attacker can influence asset attributes by sending packets at two separate times, creating malicious HTML that persists across two snapshots. Exploitation requires a victim to access the Time Machine Snapshot Diff feature for those snapshots and perform specific GUI actions before rendering occurs. The advisory states that input validation and Content Security Policy prevent full XSS, which is consistent with the supplied CVSS vector AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N and CWE-79 linkage.

Defensive priority

Moderate priority. The issue is network-reachable and unauthenticated, but it has high attack complexity and requires user interaction plus specific workflow conditions. Prioritize remediation for environments where the snapshot diff feature is used operationally.

Recommended defensive actions

• Apply the vendor remediation path listed in the advisory and update affected systems as directed by Siemens support.
• Restrict access to management and monitoring interfaces so only trusted administrators can reach the snapshot diff workflow.
• Review whether the Time Machine Snapshot Diff feature is necessary in production and disable or limit it where operationally feasible.
• Educate operators that snapshot comparison views can render attacker-influenced HTML and should be treated as untrusted content until patched.
• Monitor for unusual or repeated network traffic patterns that align with the advisory’s two-stage packet condition.
• Validate that browser and platform protections such as Content Security Policy remain enabled after remediation.

Evidence notes

Based on the CISA CSAF advisory ICSA-26-015-07 and the linked Siemens ProductCERT advisory SSA-827968. The supplied corpus states: stored HTML injection in Time Machine Snapshot Diff; unauthenticated network attacker; two different packet timings; victim must use the specific snapshot diff feature and GUI actions; rendered HTML can enable phishing and open redirect; full XSS is prevented by input validation and Content Security Policy. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N with score 4.7. The corpus also contains a remediation entry that says "Upgrade Nozomi Guardian to v26.2.0. Contact customer support to receive patch and update information," which is preserved here as source evidence even though the advisory title identifies Siemens RUGGEDCOM APE1808 devices.

Official resources