SSA-212953

Siemens Security Advisory by Siemens ProductCERT

SSA-212953: Multiple Vulnerabilities in COMOS

Publication Date:	2025-12-09
Last Update:	2026-02-10
Current Version:	V1.2
CVSS v3.1 Base Score:	10.0
CVSS v4.0 Base Score:	9.2

SUMMARY

COMOS is affected by multiple vulnerabilities that could allow an attacker to execute arbitrary code or cause denial of service condition, data infiltration or perform access control violations.

Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.

KNOWN AFFECTED PRODUCTS

Un-/Collapse All

Affected Product and Versions	Remediation
COMOS V10.4	Show more details
COMOS V10.4 All versions < V10.4.5 with COMOS Web affected by CVE-2024-47875	Update to V10.4.5 or later version https://support.sw.siemens.com/product/222981661/
COMOS V10.4 All versions < V10.4.5 affected by CVE-2025-2783	Update to V10.4.5 or later version https://support.sw.siemens.com/product/222981661/
COMOS V10.4.5 All versions < V10.4.5.0.2 affected by multiple CVEs CVE-2025-10148 CVE-2024-11053	Contact customer support to receive patch and update information
COMOS V10.5	Show more details
COMOS V10.5 All versions < V10.5.2 affected by CVE-2025-2783	Update to V10.5.2 or later version https://support.sw.siemens.com/product/222981661/
COMOS V10.5 All versions < V10.5.2 with COMOS Web affected by CVE-2024-47875	Update to V10.5.2 or later version https://support.sw.siemens.com/product/222981661/
COMOS V10.6 All versions affected by multiple CVEs CVE-2025-40800 CVE-2025-40801 CVE-2024-11053 CVE-2025-10148	Currently no fix is available

MITIGATIONS

Product-specific remediations or mitigations can be found in the section Known Affected Products.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION

COMOS is a unified data platform for collaborative plant design, operation and management that supports collecting, processing, saving, and distributing of information throughout the entire plant lifecycle.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2024-11053

When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

CVSS v3.1 Base Score	3.7
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS v4.0 Base Score	6.3
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CWE	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Vulnerability CVE-2024-47875

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.

CVSS v3.1 Base Score	10.0
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vulnerability CVE-2025-2783

Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file.

CVSS v3.1 Base Score	8.3
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS v4.0 Base Score	8.9
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE	CWE-20: Improper Input Validation

Vulnerability CVE-2025-10148

curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection.

A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.

CVSS v3.1 Base Score	5.3
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE	CWE-340: Generation of Predictable Numbers or Identifiers

Vulnerability CVE-2025-40800

The IAM client in affected products is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack.

CVSS v3.1 Base Score	7.4
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS v4.0 Base Score	9.1
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE	CWE-295: Improper Certificate Validation

Vulnerability CVE-2025-40801

The SALT SDK is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack.

CVSS v3.1 Base Score	8.1
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v4.0 Base Score	9.2
CVSS v4.0 Vector	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE	CWE-295: Improper Certificate Validation

ADDITIONAL INFORMATION

Updated general product information and user manuals are available on SIOS Portal: https://support.industry.siemens.com/cs/ww/en/view/109739837.
Please also consider the Security-relevant configuration for COMOS: https://support.industry.siemens.com/cs/document/109823629/.

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2025-12-09):	Publication Date
V1.1 (2026-01-13):	Removed CVE-2024-11053 and CVE-2025-10148 from COMOS V10.5.2 as this version line is not affected
V1.2 (2026-02-10):	Added fix for COMOS V10.4.5

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.