Siemens reports critical flaw in IAM Client on multiple industrial products

Siemens is reporting a critical security vulnerability in its IAM (Identity and Access Management) client component used in multiple industrial software products. 

The flaw is tracked as CVE-2025-40800 (CVSS score 9.1), and is caused by improper certificate validation and could allow unauthenticated remote attackers to conduct man-in-the-middle attacks, potentially enabling attackers to intercept and manipulate sensitive communications between industrial systems and authentication servers.

The vulnerability affects multiple Siemens industrial software products: 

• COMOS V10.6 (all versions)
• NX V2412 (all versions prior to 2412.8700)
• NX V2506 (all versions prior to 2506.6000)
• Simcenter 3D (all versions prior to 2506.6000)
• Simcenter Femap (all versions prior to 2506.0002)
• Solid Edge SE2025 (all versions prior to V225.0 Update 10)
• Solid Edge SE2026 (all versions prior to V226.0 Update 1).

Siemens has released patches for most affected products except COMOS V10.6: 

• Solid Edge SE2025 users should update to V225.0 Update 10 or later
• Solid Edge SE2026 users should update to V226.0 Update 1 or later
• NX V2412 users should update to V2412.8700 or later
• Simcenter Femap users should update to V2506.0002 or later
• Both NX V2506 and Simcenter 3D users should update to V2506.6000 or later versions. 

Organizations unable to immediately apply patches should implement network segmentation and restrict access to affected systems using firewalls and VPNs as interim protective measures.

CISA and Siemens recommend organizations minimize network exposure for all affected control system devices, ensuring they are not accessible from the internet, and locate control systems behind firewalls isolated from business networks.