CVE-2025-40937 Siemens CVE debrief

Who should care

Organizations running Siemens SIMATIC CN 4100, especially industrial control system operators, plant administrators, and security teams responsible for authenticated service access and vendor patch management.

Technical summary

The advisory describes a REST API input validation weakness in SIMATIC CN 4100. The CVSS vector provided is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L, indicating network-reachable impact, low attack complexity, and required low privileges. The stated outcome is possible arbitrary code execution with limited privileges through improper handling of unexpected arguments.

Defensive priority

High. The CVSS score is 8.3 and the affected product is an ICS-related Siemens system with a vendor fix available. Prioritize patching and exposure reduction for any deployments where authenticated REST API access is reachable.

Recommended defensive actions

• Update Siemens SIMATIC CN 4100 to V4.0.1 or later as recommended by the vendor.
• Review which administrators or services can authenticate to the product's REST API and restrict access to the minimum necessary.
• Apply industrial-control defense-in-depth practices and limit network reachability to management interfaces where possible.
• Monitor Siemens and CISA advisory channels for any follow-on guidance related to ICSA-26-015-12 / SSA-416652.
• Validate that asset inventories and patch records reflect the affected product and the remediation version.

Evidence notes

Source details come from the supplied CISA CSAF record for ICSA-26-015-12 and the referenced Siemens advisory SSA-416652. The advisory states the REST API parameter-validation issue and the potential for authenticated arbitrary code execution with limited privileges. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L, and the remediation listed is V4.0.1 or later. KEV status in the supplied enrichment is false.

Official resources