Login Sign Up

CVE-2025-40941

4.3 MEDIUM

📋 TL;DR

SIMATIC CN 4100 devices expose server information in responses, allowing attackers with network access to gather reconnaissance data. This information disclosure vulnerability affects all versions before V4.0.1, potentially enabling more targeted attacks against industrial control systems.

💻 Affected Systems

Products:
  • SIMATIC CN 4100
Versions: All versions < V4.0.1
Operating Systems: Embedded industrial OS
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running affected firmware versions are vulnerable by default.

📦 What is this software?

Simatic Cn 4100 Firmware by Siemens

View all CVEs affecting Simatic Cn 4100 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers use disclosed information to identify specific vulnerabilities, leading to full system compromise, production disruption, or safety incidents in industrial environments.

🟠

Likely Case

Attackers gather system details to plan targeted attacks, potentially combining with other vulnerabilities for deeper network penetration.

🟢

If Mitigated

Limited information exposure with minimal impact due to network segmentation and access controls preventing attacker access.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple network requests can trigger information disclosure without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V4.0.1

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-416652.html

Restart Required: Yes

Instructions:

1. Download firmware V4.0.1 from Siemens support portal. 2. Backup device configuration. 3. Apply firmware update via management interface. 4. Reboot device. 5. Verify version update.

🔧 Temporary Workarounds

Network segmentation

all

Isolate SIMATIC CN 4100 devices in protected network segments with strict access controls.

Firewall restrictions

all

Implement firewall rules to limit access to SIMATIC CN 4100 management interfaces to authorized IPs only.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate devices from untrusted networks
  • Deploy intrusion detection systems to monitor for reconnaissance attempts

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or CLI. If version is below V4.0.1, device is vulnerable.

Check Version:

Check via web interface at https://[device-ip] or consult device documentation for CLI commands

Verify Fix Applied:

Confirm firmware version shows V4.0.1 or higher in device management interface.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to device management interfaces
  • Multiple failed authentication attempts

Network Indicators:

  • Unusual HTTP requests to device endpoints
  • Reconnaissance traffic from unauthorized sources

SIEM Query:

source_ip NOT IN (authorized_ips) AND dest_ip IN (simatic_devices) AND (http_method=GET OR http_method=POST)

📊 Metadata

CVE ID: CVE-2025-40941
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
EPSS Score: 0.04% exploit probability (10.8th percentile)
Published: December 9, 2025
Last Updated: December 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-40941, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)