CRITICAL🇵🇱 Wersja polska

CVE-2025-40805

CVSS 10.0v4.0pub. 2026-01-13upd. 2026-04-15

Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the attacker has learned the identity of a legitimate user.

🤖 AI Analysis
How it works

Devices improperly enforce user authentication on specific API endpoints, allowing an attacker to access protected resources without providing valid credentials. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), meaning an attacker can specify another user's identifier and gain access on their behalf. A necessary condition for a successful attack is prior knowledge of the identity (identifier) of a legitimate system user.

Impact

An attacker can impersonate a legitimate user and gain unauthorized access to system functions and data, which may lead to complete compromise of confidentiality, integrity, and availability of both the attacked device and related systems.

Mitigation & patch

Apply patches available from the manufacturer according to the following references: https://cert-portal.siemens.com/productcert/html/ssa-001536.html and https://cert-portal.siemens.com/productcert/html/ssa-014678.html. Until the patch is deployed, it is recommended to restrict network access to vulnerable API endpoints through a firewall or network segmentation.

Who is affected

Siemens devices specified in manufacturer references (SSA-001536, SSA-014678) — specific models and versions should be verified in Siemens ProductCERT security advisories

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References