CVE-2025-40736
Published: 08 July 2025
Summary
CVE-2025-40736 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Siemens Sinec Nms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly identifies and authorizes only essential actions without identification or authentication, directly preventing exposure of critical functions like unauthorized administrative credential modification.
AC-3 enforces approved authorizations for access to system resources, blocking unauthenticated attackers from exploiting the exposed endpoint to reset superadmin passwords.
IA-5 requires protection of authenticators from unauthorized modification, mitigating the vulnerability that allows unauthenticated reset of administrative credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on public endpoint directly enables exploitation of public-facing app (T1190) to perform unauthorized account credential changes (T1098).
NVD Description
A vulnerability has been identified in SINEC NMS (All versions < V4.0). The affected application exposes an endpoint that allows an unauthorized modification of administrative credentials. This could allow an unauthenticated attacker to reset the superadmin password and gain full…
more
control of the application (ZDI-CAN-26569).
Deeper analysisAI
CVE-2025-40736 is a critical vulnerability in SINEC NMS, affecting all versions prior to V4.0. The affected application exposes an endpoint that enables unauthorized modification of administrative credentials, classified as CWE-306 (Missing Authentication for Critical Function). Published on 2025-07-08, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete compromise.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction. By leveraging the exposed endpoint, the attacker can reset the superadmin password, gaining full control of the SINEC NMS application and potentially compromising confidentiality, integrity, and availability of the system (ZDI-CAN-26569).
Siemens has published security advisory SSA-078892 at https://cert-portal.siemens.com/productcert/html/ssa-078892.html, which details the vulnerability and mitigation steps for affected systems.
Details
- CWE(s)