PatchSiren cyber security CVE debrief
CVE-2025-40894 Siemens CVE debrief
CVE-2025-40894 is a stored HTML injection issue in the Alerted Nodes Dashboard of Siemens RUGGEDCOM APE1808. An authenticated user with the required privileges can place HTML in a node label; if alerts later render that node in the dashboard, the content may appear in another user’s browser and support phishing or an open redirect scenario. The advisory notes that existing input validation and Content Security Policy reduce the impact and help prevent full XSS and direct information disclosure.
- Vendor
- Siemens
- Product
- RUGGEDCOM APE1808
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-13
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-01-13
- Advisory updated
- 2026-05-14
Who should care
Operators and administrators of Siemens RUGGEDCOM APE1808 environments that use the Alerted Nodes Dashboard, especially where authenticated users can edit node labels or where alert data is routinely viewed by other users.
Technical summary
The source advisory describes a stored HTML injection condition caused by improper validation of an input parameter in the Alerted Nodes Dashboard. The issue requires authentication, specific privileges, and user interaction, and it is scored CVSS 4.4 (AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N). The expected impact is limited to browser-side HTML rendering with phishing/open-redirect potential; the source explicitly states that existing validation and CSP mitigate full XSS and direct information disclosure.
Defensive priority
Medium. This is not a high-severity remote takeover issue, but it can still affect user trust and dashboard integrity in environments that expose the affected functionality to multiple users.
Recommended defensive actions
- Apply the vendor-recommended remediation and verify the correct affected product/version before deployment.
- Restrict who can edit node labels and review role assignments for least privilege.
- Treat alert/dashboard content as untrusted input and validate any user-controlled fields that are rendered in the UI.
- Review browser-side protections such as Content Security Policy and confirm they remain enabled and effective.
- Monitor for unexpected HTML or suspicious formatting in node labels and alert views.
- Follow CISA ICS defense-in-depth and recommended-practices guidance for operational monitoring and access control.
Evidence notes
All substantive claims are drawn from the supplied CISA CSAF advisory and its Siemens references. The source states that a malicious authenticated user with required privileges can edit a node label to inject HTML tags, which may render in the Alerted Nodes Dashboard when alerts are reported for that node. It also states that existing input validation and Content Security Policy prevent full XSS exploitation and direct information disclosure. The corpus contains a remediation line naming Nozomi Guardian v26.2.0, which does not match the Siemens RUGGEDCOM APE1808 advisory metadata; that remediation detail should be treated cautiously and verified against the vendor advisory before use.
Official resources
-
CVE-2025-40894 CVE record
CVE.org
-
CVE-2025-40894 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA/Siemens advisory cycle; CVE published 2026-01-13 and last modified 2026-05-14.