Siemens COMOS
Easy fix1 remedy
cpe:2.3:a:siemens:comos:*:*:*:*:*:*:*
Easy fix1 remedy
- >= 10.4, <= 10.4.5
- >= 10.5, <= 10.5.2
- >= 10.6, <= 10.6
Siemens COMOS, NX, Simcenter, and Solid Edge Missing Server Certificate Validation Vulnerability Allowing Man-in-the-Middle Attacks
Vulnerability
Patched
A vulnerability exists in multiple Siemens products, including COMOS V10.6, NX V2412 (prior to V2412.8700), NX V2506 (prior to V2506.6000), Simcenter 3D (prior to V2506.6000), Simcenter Femap (prior to V2506.0002), Solid Edge SE2025 (prior to V225.0 Update 10), and Solid Edge SE2026 (prior to V226.0 Update 1). The issue arises because the IAM client in these products does not validate server certificates when establishing TLS connections to the authorization server. This flaw could enable an attacker to conduct a man-in-the-middle attack.
Impact
Exploitation of this vulnerability could lead to unauthorized interception and manipulation of communications between the client and the authorization server, potentially allowing attackers to impersonate the server or alter the data being transmitted.
Remediation
Users of COMOS V10.6 should update to the latest version. For NX V2412, NX V2506, Simcenter 3D, Simcenter Femap, Solid Edge SE2025, and Solid Edge SE2026, users should update to the specified versions or later. Product-specific update instructions are available on the Siemens Support website.
Added: Dec 9, 2025, 8:16 PM
Updated: Dec 9, 2025, 8:16 PM
Vulnerability Rating
Custom Algorithm
spread
4.2impact
5.0exploitability
4.0remediation
7.7relevance
1.4threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.