Siemens Advanced Licensing (SALT) Toolkit

Plan PatchCVSS 8.1ICS-CERT ICSA-25-345-05Dec 9, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple Siemens products including COMOS, NX, Simcenter 3D, Simcenter Femap, Simcenter Studio, Simcenter System Architect, and Tecnomatix Plant Simulation contain improper certificate validation in the Siemens Advanced Licensing (SALT) Toolkit. This allows an unauthenticated remote attacker to perform man-in-the-middle attacks on licensing communications. The attacker could intercept and modify software licensing and updates sent between engineering tools and Siemens licensing servers. JT Bi-Directional Translator for STEP is affected but no fix is planned.

What this means

What could happen

An attacker could intercept and modify communications between Siemens engineering tools and licensing servers, potentially allowing unauthorized software deployment or license manipulation on critical engineering workstations used to configure industrial systems.

Who's at risk

Engineering teams and automation specialists who use Siemens design and simulation tools (NX, Simcenter, COMOS, Tecnomatix Plant Simulation) are at risk. These tools are used to configure and test industrial control systems, process equipment, and plant simulations. Compromise could allow unauthorized modifications to engineering designs or software deployments on controlled systems. The JT Bi-Directional Translator for STEP tool is also affected but will not receive a patch.

How it could be exploited

An attacker positioned on the network path between an affected Siemens tool (NX, Simcenter, COMOS, etc.) and Siemens licensing servers could perform a man-in-the-middle attack by presenting a forged certificate. The tool would accept the fraudulent certificate due to improper validation, allowing the attacker to intercept, read, or modify licensing and software update traffic.

Prerequisites

Network access to communications between the affected Siemens tool and Siemens licensing servers (port 443/HTTPS)
Ability to intercept network traffic (e.g., ARP spoofing, DNS hijacking, or network position on the same segment as the engineering workstation)
No user interaction required

remotely exploitableno authentication requiredhigh CVSS score (8.1)affects engineering/design tools used in critical infrastructureno patch available for JT Bi-Directional Translator and some COMOS/Simcenter products

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (9)

8 with fix1 EOL

ProductAffected VersionsFix Status

COMOS V10.6< 10.6.110.6.1

NX V2412< 2412.89002412.8900

NX V2506< 2506.60002506.6000

Simcenter 3D< 2506.60002506.6000

Simcenter Femap< 2506.00022506.0002

Simcenter Studio< 2506.00012506.0001

Simcenter System Architect< 2506.00012506.0001

Tecnomatix Plant Simulation< 2504.00072504.0007

Remediation & Mitigation

0/10

Do now

0/1

WORKAROUNDRestrict network access to Siemens licensing servers (port 443) to authorized engineering workstations only using firewall rules

Schedule — requires maintenance window

0/8

Patching may require device reboot — plan for process interruption

Simcenter 3D

HOTFIXUpdate Simcenter 3D to version 2506.6000 or later

Simcenter Femap

HOTFIXUpdate Simcenter Femap to version 2506.0002 or later

Simcenter Studio

HOTFIXUpdate Simcenter Studio to version 2506.0001 or later

Simcenter System Architect

HOTFIXUpdate Simcenter System Architect to version 2506.0001 or later

Tecnomatix Plant Simulation

HOTFIXUpdate Tecnomatix Plant Simulation to version 2504.0007 or later

All products

HOTFIXUpdate COMOS to version 10.6.1 or later

HOTFIXUpdate NX to version 2412.8900 or later (for V2412 installations)

HOTFIXUpdate NX to version 2506.6000 or later (for V2506 installations)

Mitigations - no patch available

0/1

JT Bi-Directional Translator for STEP has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate engineering workstations running affected Siemens tools from the business network using network segmentation or a dedicated engineering VLAN

CVEs (1)

CVE-2025-40801

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7ad4e587-e172-4870-a0d4-bee853600f67

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.