Siemens COMOS Affected by Multiple Flaws, at Least One Critical
Take action: First priority, make sure your industrial systems including COMOS are isolated from the internet and accessible only from trusted networks. Plan a quick update of COMOS instances to latest versions of 10.4 and 10.5 branck. For branch 10.6 contact Siemens for instructions.
Learn More
Siemens and CISA warn of multiple flaws in Siemens COMOS, a lifecycle management software used in the manufacturing sector. The flaws range from low-risk credential leaks to critical remote code execution.
Vulnerabilities summary:
- CVE-2024-47875 (CVSS score 10.0) - A mutation cross-site scripting (mXSS) vulnerability in the DOMPurify library that allows attackers to bypass sanitization by nesting HTML elements. This flaw enables arbitrary script execution in the user's browser session, potentially leading to full account takeover.
- CVE-2025-2783 (CVSS score 8.3) - An improper input validation flaw in the Mojo interface of Google Chrome on Windows. Attackers can use a malicious file to trigger an incorrect handle, enabling a sandbox escape to run code outside the browser's restricted environment.
- CVE-2025-40801 (CVSS score 8.1) - A certificate validation failure in the SALT SDK where the system fails to verify the identity of the authorization server. Attackers can perform man-in-the-middle attacks by intercepting TLS connections to steal sensitive credentials.
- CVE-2025-40800 (CVSS score 7.4) - A missing server certificate validation issue in the IAM client during TLS handshakes. This flaw allows attackers to spoof the authorization server, leading to data interception or session hijacking.
- CVE-2025-10148 (CVSS score 5.3) - A predictable mask pattern vulnerability in curl's websocket implementation that uses a fixed 32-bit mask. A malicious server can trick proxies into caching poisoned content, which is then served to other users of that proxy.
- CVE-2024-11053 (CVSS score 3.7) - An information exposure flaw in curl when using .netrc files and following HTTP redirects. If a redirect target matches a netrc entry with missing credentials, the password from the original host may leak to the new host.
Affected products include Siemens COMOS versions V10.4, V10.4.5, V10.5, and V10.6. Some versions have direct patches available but others require manual action or reconfiguration changes. Siemens is currently developing additional fixes for the V10.6 version line, which is affected by the most recent certificate validation and curl-related flaws.
Users should update to COMOS V10.4.5 or V10.5.2 ASAP to resolve the most dangerous execution and sanitization flaws. For V10.6, administrators must contact Siemens support to receive specific patch information and update instructions. General security recommendations include isolating control systems behind firewalls, ensuring they are not accessible from the internet, and using VPNs for all remote access sessions.
