PatchSiren cyber security CVE debrief
CVE-2025-40899 Siemens CVE debrief
CVE-2025-40899 is a high-severity stored cross-site scripting issue in the Assets and Nodes functionality. An authenticated user with custom fields privileges can place a malicious custom field that is later rendered in another user's browser, letting the attacker act in the victim's session and potentially modify data, disrupt availability, or view limited sensitive information. The supplied advisory was first published on 2026-01-13 and updated on 2026-05-14.
- Vendor
- Siemens
- Product
- RUGGEDCOM APE1808
- CVSS
- HIGH 8.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-13
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-01-13
- Advisory updated
- 2026-05-14
Who should care
Siemens RUGGEDCOM APE1808 operators, OT/ICS administrators, security teams managing Assets and Nodes workflows, and anyone who can create or review custom fields in the affected environment.
Technical summary
The issue is a stored XSS condition caused by improper validation of an input parameter in the Assets and Nodes pages. Exploitation requires authentication and custom fields privileges, but once a payload is stored it executes in the browser context of a later viewer. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H, which reflects low attack complexity, required user interaction, and high integrity/availability impact. The corpus also maps the issue to CWE-79.
Defensive priority
High. Treat this as a priority patch and privilege-review item, especially where Assets and Nodes are used by administrators or operators. Stored XSS with browser-session impact can quickly become a data integrity and service availability problem in OT-facing management interfaces.
Recommended defensive actions
- Upgrade to the vendor-fixed release referenced in the advisory: v26.2.0, and follow Siemens customer support guidance for patch and update details.
- Verify the exact affected product and remediation path before change windows, because the supplied corpus ties the advisory to Siemens RUGGEDCOM APE1808 while the remediation field names Nozomi Guardian v26.2.0.
- Restrict custom fields privileges to the smallest practical set of trusted users and review existing assignments.
- Review Assets and Nodes content for suspicious custom field values and remove or sanitize any unexpected script-bearing entries.
- Apply layered ICS/OT defensive practices such as least privilege, strong session controls, and defense-in-depth around management interfaces.
- Monitor for unusual administrator actions or data changes that could indicate abuse of a stored XSS condition.
Evidence notes
Assessment is based on the CISA CSAF advisory ICSA-26-015-07, published 2026-01-13 and republished/updated through 2026-05-14, plus the linked Siemens ProductCERT advisory SSA-827968. The corpus explicitly describes an authenticated stored XSS in Assets and Nodes caused by improper input validation. The advisory metadata contains a product/remediation naming mismatch, so the exact fix path should be manually verified before remediation.
Official resources
-
CVE-2025-40899 CVE record
CVE.org
-
CVE-2025-40899 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed through the CISA ICS advisory on 2026-01-13 and updated on 2026-05-14. The supplied corpus does not list the issue in CISA KEV.