Plattform
siemens
Komponente
siemens-software-center
Behoben in
3.5.8.2
CVE-2025-40745 is a vulnerability affecting Siemens Software Center and related products like Simcenter, Solid Edge, and Tecnomatix. This issue stems from inadequate validation of client certificates when connecting to the Analytics Service endpoint, potentially enabling man-in-the-middle attacks. Affected versions include Siemens Software Center versions before V3.5.8.2, and various versions of Simcenter, Solid Edge, and Tecnomatix as detailed in the advisory. A fix is available in Siemens Software Center V2602.
The primary impact of CVE-2025-40745 is the potential for man-in-the-middle attacks. An attacker who can intercept and manipulate network traffic between a client and the Analytics Service endpoint could eavesdrop on sensitive data, modify data in transit, or impersonate either the client or the server. This could lead to data breaches, unauthorized access to systems, and disruption of services. The lack of authentication requirements for exploiting this vulnerability significantly broadens the attack surface, as any unauthenticated remote attacker with network access can potentially exploit it. While the CVSS score is LOW, the potential for data compromise and system manipulation warrants immediate attention.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not currently available, but the vulnerability's nature and lack of authentication requirements suggest a potential for exploitation. The CVSS score of 3.7 indicates a relatively low probability of exploitation, but the potential impact warrants monitoring. The vulnerability was publicly disclosed on 2026-04-14.
Organizations utilizing Siemens Software Center, Simcenter, Solid Edge, or Tecnomatix in environments where the Analytics Service endpoint is accessible over untrusted networks are at risk. This includes engineering firms, manufacturing plants, and research institutions relying on these software solutions for product development and simulation.
• windows / supply-chain:
Get-Process -Name "Siemens Software Center*" | Select-Object ProcessName, CommandLine• linux / server:
ps aux | grep "Siemens Software Center"• generic web:
curl -I <analytics_service_endpoint>disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-40745 is to upgrade affected Siemens Software Center and related products to version V2602 or later, which includes the necessary certificate validation fixes. If immediate upgrading is not possible, consider implementing network segmentation to restrict access to the Analytics Service endpoint. Additionally, deploying a Web Application Firewall (WAF) with rules to inspect and block suspicious certificate validation requests can provide an additional layer of defense. Monitor network traffic for unusual certificate validation patterns. After upgrading, confirm the fix by attempting a connection to the Analytics Service endpoint with a modified client certificate and verifying that the connection is rejected.
Aktualisieren Sie Siemens Software Center auf Version 3.5.8.2 oder höher, um die Schwachstelle zu beheben. Dieses Update behebt die falsche Validierung von Client-Zertifikaten und verhindert so mögliche Man-in-the-Middle-Angriffe.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-40745 is a vulnerability in Siemens Software Center and related products allowing unauthenticated attackers to perform man-in-the-middle attacks due to improper client certificate validation.
You are affected if you are using Siemens Software Center versions prior to V2602, or vulnerable versions of Simcenter, Solid Edge, or Tecnomatix as detailed in the advisory.
Upgrade to Siemens Software Center V2602 or later to remediate the vulnerability. Consider network segmentation and certificate validation policy strengthening as interim measures.
There are currently no confirmed reports of active exploitation, but diligent monitoring and patching are recommended.
Refer to the official Siemens Security Advisory for detailed information and mitigation guidance: [https://www.siemens.com/global/en/support/security/industrial/details.html?id=CVE-2025-40745]
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.