As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
1. EXECUTIVE SUMMARY
- CVSS v3 8.7
- ATTENTION: Exploitable remotely
- Vendor: Siemens
- Equipment: Mendix SAML Module
- Vulnerability: Improper Verification of Cryptographic Signature
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow unauthenticated remote attackers to hijack an account in specific SSO configurations.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
- Siemens Mendix SAML (Mendix 9.24 compatible): Versions prior to V3.6.21
- Siemens Mendix SAML (Mendix 10.12 compatible): Versions prior to V4.0.3
- Siemens Mendix SAML (Mendix 10.21 compatible): Versions prior to V4.1.2
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347
Affected versions of the module insufficiently enforce signature validation and binding checks. This could allow unauthenticated remote attackers to hijack an account in specific SSO configurations.
CVE-2025-40758 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).
3.3 BACKGROUND
- CRITICAL IN
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: