Siemens Advanced Licensing (SALT) Toolkit

Plan Patch8.1ICS-CERT ICSA-25-345-05Dec 9, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple Siemens products contain improper certificate validation in the Siemens Advanced Licensing (SALT) Toolkit. The affected products include COMOS, JT Bi-Directional Translator for STEP, NX, Simcenter 3D, Simcenter Femap, Simcenter Studio, Simcenter System Architect, and Tecnomatix Plant Simulation. An unauthenticated remote attacker positioned on the network between engineering workstations and Siemens licensing servers could perform man-in-the-middle attacks by presenting an invalid certificate that the affected products fail to properly validate. This could allow the attacker to intercept or modify licensing data and potentially inject malicious content. CWE-295: Improper Certificate Validation.

What this means

What could happen

An attacker could intercept and modify communication between engineering workstations and the Siemens licensing server, potentially injecting malicious software or license data into design and simulation tools used in plant automation projects. This could compromise the integrity of engineering files used in critical infrastructure control systems.

Who's at risk

Engineering teams and automation designers at water utilities, power plants, and manufacturing facilities that use Siemens design, simulation, and licensing tools (COMOS for process design, NX for CAD/CAM, Simcenter for multi-body simulation, Tecnomatix for plant simulation, and JT for model exchange). Anyone using these tools for control system engineering is affected.

How it could be exploited

An attacker positioned on the network between a user's engineering workstation and Siemens licensing servers performs a man-in-the-middle attack by spoofing the SALT licensing server certificate. The workstation accepts the invalid certificate due to improper validation, allowing the attacker to intercept and modify licensing traffic or inject malicious content into product updates and engineering file transfers.

Prerequisites

Network access to the path between engineering workstations and Siemens licensing servers (same network segment or routable path)
Ability to perform ARP spoofing, DNS hijacking, or BGP route hijacking to redirect licensing traffic
User runs COMOS, JT Translator, NX, Simcenter, or Tecnomatix tools that communicate with SALT licensing servers

Remotely exploitableNo authentication required for attackLow attack complexity once attacker is on networkMan-in-the-middle attack is widely understoodNo patch available for JT Translator (end-of-life product)Affects integrity of engineering files that control critical processes

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (9)

8 with fix1 EOL

ProductAffected VersionsFix Status

COMOS V10.6< 10.6.110.6.1

NX V2412< 2412.89002412.8900

NX V2506< 2506.60002506.6000

Simcenter 3D< 2506.60002506.6000

Simcenter Femap< 2506.00022506.0002

Simcenter Studio< 2506.00012506.0001

Simcenter System Architect< 2506.00012506.0001

Tecnomatix Plant Simulation< 2504.00072504.0007

Remediation & Mitigation

0/8

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

Simcenter 3D

HOTFIXUpdate Simcenter 3D to version 2506.6000 or later

Simcenter Femap

HOTFIXUpdate Simcenter Femap to version 2506.0002 or later

Tecnomatix Plant Simulation

HOTFIXUpdate Tecnomatix Plant Simulation to version 2504.0007 or later

All products

HOTFIXUpdate COMOS to version 10.6.1 or later

HOTFIXUpdate NX 2412 to version 2412.8900 or later

HOTFIXUpdate NX 2506 to version 2506.6000 or later

Mitigations - no patch available

0/2

JT Bi-Directional Translator for STEP has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate engineering workstation networks from business networks using firewalls; restrict outbound HTTPS traffic to only authorized Siemens licensing servers

HARDENINGRequire VPN for remote access to engineering workstations and restrict VPN to single-factor access only to authorized personnel

CVEs (1)

CVE-2025-40801

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7ad4e587-e172-4870-a0d4-bee853600f67