Critical

Authentication Bypass in Siemens Industrial Edge Device Kit API Endpoints

IdentifiersCVE-2025-40805CWE-639· Authorization Bypass Through…

CVE-2025-40805 is a critical authentication/authorization bypass vulnerability affecting Siemens Industrial Edge Device Kit on arm64 and x86-64 platforms. The issue arises because affected devices do not properly enforce user authentication on specific API endpoints. As a result, an unauthenticated remote attacker can send crafted requests to those endpoints and circumvent normal authentication checks. If the attacker knows the identity of a legitimate user, the attacker can impersonate that user and perform actions in that user context. The vulnerability is mapped to CWE-639 and is described in Siemens ProductCERT advisory SSA-014678, republished by CISA as ICSA-26-015-09. Reported affected versions include Industrial Edge Device Kit arm64 and x86-64 versions V1.5 through V1.23, V1.24 versions earlier than 1.24.2, and V1.25 versions earlier than 1.25.1.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to bypass authentication and impersonate a legitimate user. Given the CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H and score of 10.0, the expected impact is high across confidentiality, integrity, and availability. In practice, this can enable unauthorized access to protected functionality exposed through the affected API endpoints, execution of actions as the impersonated user, access to sensitive data available to that user, modification of system or application state, and potential service disruption depending on the privileges and reachable functions associated with the impersonated account.

Mitigation

If you can’t patch tonight, do this now.

Limit network access to affected products to trusted parties only. Minimize network exposure and do not expose affected control system devices directly to the internet. Place control system networks and remote devices behind firewalls and isolate them from business networks. Use secure remote access methods such as VPNs when remote access is required, and keep those mechanisms updated. Configure deployments in accordance with Siemens operational guidance for Industrial Security. Perform impact analysis and risk assessment before deploying defensive changes in ICS environments. Increase monitoring for suspicious API access or anomalous authentication behavior, especially on unpatched or unsupported systems.

Remediation

Patch, then assume compromise.

Apply Siemens vendor fixes where available. For Siemens Industrial Edge Device Kit V1.24, update to version 1.24.2 or later. For Siemens Industrial Edge Device Kit V1.25, update to version 1.25.1 or later. The advisory also notes that for many affected product IDs and versions, no fix is currently planned; in those cases, follow Siemens and CISA hardening guidance and restrict exposure until a supported fixed release is available or the affected product is replaced/upgraded.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

cvefeed high severityNews

Jan 13, 2026

CVE-2025-40805 - Apache API Authentication Bypass

An authentication enforcement flaw on specific API endpoints that can allow an unauthenticated remote attacker to bypass authentication and impersonate a legitimate user (given knowledge of a valid user identity).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-40805

NVD

nvd.nist.gov/vuln/detail/CVE-2025-40805

MITRE CWE · CWE-639

Authorization Bypass Through User-Controlled Key

cert-portal.siemens.com

cert-portal.siemens.com/productcert/html/ssa-001536.html

cert-portal.siemens.com

cert-portal.siemens.com/productcert/html/ssa-014678.html