CVE-2025-40943
Published: 10 March 2026
Summary
CVE-2025-40943 is a critical-severity Eval Injection (CWE-95) vulnerability in Siemens (inferred from references). Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces validation and sanitization of imported trace file contents to prevent code injection vulnerabilities like CWE-95.
Filters trace file contents when output to the client's browser session to block execution of embedded malicious code.
Remediates the specific trace file sanitization flaw through timely application of vendor patches as detailed in Siemens Security Advisory SSA-452276.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables execution of attacker-controlled code via import of a malicious trace file (T1204.002) that runs as JavaScript in the victim's browser (T1059.007).
NVD Description
Affected devices do not properly sanitize contents of trace files. This could allow an attacker to inject code through social engineering an authorized user, who has the function right "Read diagnostics", to import a specially crafted trace file. The malicious…
more
trace file is insufficiently sanitized and malicious code could be executed in the clients browser session and trigger PLC operations via the webserver that the legitimate user is authorized to perform.
Deeper analysisAI
CVE-2025-40943 is a code injection vulnerability (CWE-95) affecting certain devices that fail to properly sanitize the contents of trace files. Published on 2026-03-10, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). The issue arises in components supporting the import of trace files for diagnostic purposes, where insufficient input validation allows embedded malicious code to persist.
An attacker can exploit this vulnerability remotely over the network with low complexity by social engineering an authorized user possessing the "Read diagnostics" function right into importing a specially crafted trace file. Once imported, the malicious content executes arbitrary code within the victim's browser session due to inadequate sanitization. This enables the attacker to perform PLC operations through the webserver, leveraging the legitimate user's authorization privileges, resulting in high confidentiality, integrity, and availability impacts with changed scope.
Siemens Security Advisory SSA-452276 addresses this vulnerability; practitioners should consult https://cert-portal.siemens.com/productcert/html/ssa-452276.html for detailed mitigation guidance and available patches.
Details
- CWE(s)