PatchSiren cyber security CVE debrief
CVE-2025-40893 Siemens CVE debrief
CVE-2025-40893 is a stored HTML injection issue in Siemens RUGGEDCOM APE1808 Asset List handling. An unauthenticated attacker can send crafted network traffic that causes HTML tags to be stored in asset attributes. When a user later views affected assets, the injected HTML can render in the browser and may support phishing or open redirect abuse. CISA published the advisory on 2026-01-13 and last updated it on 2026-05-14; the vulnerability is not listed in CISA KEV.
- Vendor
- Siemens
- Product
- RUGGEDCOM APE1808
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-13
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-01-13
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens RUGGEDCOM APE1808 devices, especially teams responsible for OT monitoring, asset inventory, and web-based operator consoles. Security teams should care because the attack does not require authentication and affects user-facing asset views.
Technical summary
The issue is described as improper validation of network traffic data that reaches the Asset List feature. Because attacker-controlled content can be stored in asset attributes, later rendering in the browser can include injected HTML. The advisory says full XSS exploitation and direct information disclosure are mitigated by existing input validation and Content Security Policy, but the stored HTML injection still creates a browser-side trust issue with phishing and possible open redirect impact. The published CVSS vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, scoring 6.1.
Defensive priority
Medium priority. The issue is remotely reachable and unauthenticated, but user interaction is required and the advisory notes mitigations that limit impact. Remediation should still be scheduled promptly for exposed or operationally sensitive deployments.
Recommended defensive actions
- Upgrade to the vendor-fixed release identified in the advisory and verify the patch path with Siemens support.
- Review any asset inventory or list views that render network-derived fields and confirm server-side output encoding is consistently applied.
- Validate that the configured Content Security Policy remains in place and has not been weakened by local customization.
- Check for suspicious asset names, labels, or metadata containing unexpected HTML markup or redirects.
- Restrict administrative and operator access to affected web interfaces while remediation is pending.
- Monitor user reports of unexpected prompts, redirects, or impersonation content in asset views.
Evidence notes
Source corpus states the vulnerability is a stored HTML injection in Asset List due to improper validation of network traffic data, with unauthenticated packet-based delivery and browser rendering on later view. The CVSS vector in the source is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, yielding 6.1 Medium. The advisory was published on 2026-01-13 and revised on 2026-05-14. The source corpus also links CWE-79 as the relevant weakness class. No KEV entry is present in the supplied enrichment.
Official resources
-
CVE-2025-40893 CVE record
CVE.org
-
CVE-2025-40893 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-01-13 and last updated it on 2026-05-14. The supplied enrichment does not mark this CVE as CISA KEV-listed.