Executive Summary
In December 2025, Siemens disclosed a critical vulnerability (CVE-2025-40801) in its Advanced Licensing (SALT) Toolkit, affecting multiple industrial software products such as COMOS, NX, Simcenter, and Tecnomatix. The flaw—improper certificate validation in the SALT SDK when establishing TLS connections—could enable unauthenticated remote attackers to launch man-in-the-middle attacks. With a CVSS v4 score of 9.2, exploitation risk is high, potentially allowing attackers to intercept or manipulate sensitive industrial data and processes in critical manufacturing environments globally. Patches have been released for some products, but others remain without a fix.
This incident is significant as it highlights ongoing challenges in implementing secure communication protocols within the industrial sector. The vulnerability underscores a wider trend of attackers exploiting flaws in authentication and encryption controls, emphasizing the urgent need for robust zero trust segmentation, encrypted traffic policies, and active vulnerability management as industries modernize.
Why This Matters Now
As digital transformation accelerates in critical infrastructure, the Siemens SALT Toolkit flaw demonstrates how gaps in certificate validation can become a gateway for remote attacks against industrial systems. Immediate awareness and response are crucial since several affected products lack available fixes, leaving organizations exposed to man-in-the-middle threats and compliance risks.
Attack Path Analysis
An unauthenticated remote attacker exploited improper certificate validation in Siemens SALT-enabled products to conduct a man-in-the-middle (MitM) attack and intercept sensitive communication. Upon gaining access, the attacker may have sought elevated permissions to further infiltrate connected services. Exploiting east-west trust and lacking segmentation, the attacker could laterally move to other components on the network. The attacker established command and control by relaying or manipulating intercepted traffic. Sensitive data was potentially exfiltrated by abusing network egress pathways. The campaign could result in service disruption, data tampering, or follow-on attacks, affecting critical manufacturing operations.
Kill Chain Progression
Initial Compromise
Description
A remote attacker exploited improper TLS certificate validation (CWE-295, CVE-2025-40801) to impersonate the authorization server and insert themselves as a man-in-the-middle—intercepting unencrypted or weakly validated traffic.
Related CVEs
CVE-2025-40801
CVSS 8.1The SALT SDK lacks server certificate validation during TLS connections to the authorization server, potentially allowing an attacker to perform a man-in-the-middle attack.
Affected Products:
Siemens COMOS – V10.6
Siemens JT Bi-Directional Translator for STEP – All versions
Siemens NX – V2412, V2506
Siemens Simcenter 3D – V2506
Siemens Simcenter Femap – V2506
Siemens Simcenter Studio – All versions
Siemens Simcenter System Architect – All versions
Siemens Tecnomatix Plant Simulation – V2504
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Man-in-the-Middle
Network Sniffing
Steal or Forge Kerberos Tickets: Forge Authentication Certificates
Exploit Public-Facing Application
Application Layer Protocol: Web Protocols
Use Alternate Authentication Material: PKI Certificates
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Strong Cryptography and Security Protocols
Control ID: 8.2.1
NIS2 Directive – Security of Network and Information Systems
Control ID: Art. 21.2(d)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Transport Security – Secure Protocol Enforcement
Control ID: Section 2.5
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA (EU Digital Operational Resilience Act) – ICT Security Requirements and Protocols
Control ID: Art. 9(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Critical Manufacturing
Siemens SALT toolkit vulnerability enables man-in-the-middle attacks on industrial licensing systems, compromising manufacturing operations and automated control systems globally.
Automotive
NX and Simcenter software vulnerabilities expose automotive design workflows to certificate validation attacks, potentially disrupting CAD/CAM operations and production planning.
Aviation/Aerospace
Improper certificate validation in Siemens engineering tools threatens aerospace design integrity, enabling remote attackers to intercept critical manufacturing and simulation data.
Oil/Energy/Solar/Greentech
COMOS V10.6 vulnerabilities without planned fixes expose energy sector process engineering systems to TLS interception attacks and unauthorized access risks.
Sources
- Siemens Advanced Licensing (SALT) Toolkithttps://www.cisa.gov/news-events/ics-advisories/icsa-25-345-05Verified
- Siemens ProductCERT Security Advisory SSA-710408https://cert-portal.siemens.com/productcert/html/ssa-710408.htmlVerified
- NVD - CVE-2025-40801https://nvd.nist.gov/vuln/detail/CVE-2025-40801Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Inline enforcement with Zero Trust Segmentation, encrypted traffic controls, and egress policy enforcement could have blocked the MitM compromise, detected suspicious internal pivots, and prevented data egress—significantly reducing the kill chain’s effectiveness. CNSF-aligned capabilities, such as distributed microsegmentation and anomaly detection, constrain lateral movement and provide observability for rapid incident response.
Control: Encrypted Traffic (HPE)
Mitigation: Prevents interception of data and MitM by enforcing robust encryption on all network traffic.
Control: Threat Detection & Anomaly Response
Mitigation: Detects abnormal credential usage and credential harvesting activity in real-time.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized east-west access between workloads, stopping lateral pivoting.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized outbound connections typical of C2 traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unapproved data transfer outside the enterprise boundaries.
Provides rapid detection and incident containment capabilities.
Impact at a Glance
Affected Business Functions
- Product Licensing
- Software Activation
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive licensing information due to man-in-the-middle attacks.
Recommended Actions
Key Takeaways & Next Steps
- • Prioritize immediate upgrades and apply all available Siemens patches to resolve improper TLS certificate validation vulnerabilities.
- • Enable line-rate encryption (IPsec/MACsec) for all communications between workloads to mitigate interception risks inherent in MitM vectors.
- • Implement Zero Trust Segmentation and granular policy to strictly govern east-west traffic and contain potential lateral movement.
- • Enforce egress filtering and application-level outbound policy to block unauthorized external communications and potential data exfiltration.
- • Deploy real-time anomaly detection and centralized visibility to rapidly detect, respond, and recover from suspicious activity or credential misuse.
