Skip to main content

Industrial CVE-2025-40805

CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-01-13 productcert@siemens.com
Authentication Bypass Industrial IoT
10.0
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 13, 2026 - 10:15 nvd
CRITICAL 10.0

DescriptionNVD

Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the attacker has learned the identity of a legitimate user.

AnalysisAI

An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with scope change. Requires knowledge of a legitimate user's identity.

Technical ContextAI

Specific API endpoints do not enforce proper user authentication (CWE-639). An attacker who knows a legitimate user's identity can impersonate them without credentials.

Affected ProductsAI

See vendor advisory

RemediationAI

Apply vendor patches. Implement proper authentication on all API endpoints.

Share

CVE-2025-40805 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy