Cyber Resilience

CVE-2025-40937

HighRCE

Published: 09 December 2025

Published
09 December 2025
Modified
10 December 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0009 24.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-40937 is a high-severity Command Injection (CWE-77) vulnerability in Siemens Simatic Cn 4100 Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-40937 affects SIMATIC CN 4100 in all versions prior to V4.0.1. The vulnerability arises from improper validation of input parameters in the application's REST API, which results in mishandling of unexpected arguments. Classified under CWE-77, it carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

An authenticated attacker with low privileges can exploit this issue remotely over the network with low attack complexity and without requiring user interaction. Exploitation enables execution of arbitrary code under limited privileges, granting high-impact access to confidentiality and integrity while causing low impact to availability.

The Siemens security advisory at https://cert-portal.siemens.com/productcert/html/ssa-416652.html provides details on mitigation, including updating to version V4.0.1 or later to address the vulnerability in affected versions.

EU & UK References

Vulnerability details

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected application do not properly validate input parameters in its REST API, resulting in improper handling of unexpected arguments. This could allow an authenticated attacker to…

more

execute arbitrary code with limited privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Vulnerability enables remote arbitrary code execution via command injection (CWE-77) in network-accessible REST API by low-privilege authenticated attackers, directly mapping to Exploitation of Remote Services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2673Same product: Siemens Simatic Cn 4100
CVE-2026-21638Shared CWE-77
CVE-2025-59470Shared CWE-77
CVE-2025-23397Same vendor: Siemens
CVE-2024-31854Same vendor: Siemens
CVE-2025-57199Shared CWE-77
CVE-2024-53977Same vendor: Siemens
CVE-2026-25655Same vendor: Siemens
CVE-2025-23398Same vendor: Siemens
CVE-2026-25605Same vendor: Siemens

Affected Assets

siemens
simatic cn 4100 firmware
≤ 4.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause by requiring validation of REST API input parameters to prevent mishandling of unexpected arguments leading to command injection.

prevent

Mandates timely flaw remediation, such as patching SIMATIC CN 4100 to V4.0.1 or later, to eliminate the improper input validation vulnerability.

prevent

Enforces least privilege to restrict the scope and impact of arbitrary code execution to only necessary low-privilege operations.

References