Skip to main content

Siemens SCALANCE CVE-2025-40833

| EUVD-2025-209778 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-12 siemens GHSA-9483-pcvr-wj53
Denial Of Service Null Pointer Dereference
8.7
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 12, 2026 - 10:40 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 12, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 10:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
May 12, 2026 - 10:01 vuln.today
CVE Published
May 12, 2026 - 08:20 nvd
HIGH 7.5

DescriptionNVD

The affected devices contain a null pointer dereference vulnerability while processing specially crafted IPv4 requests. This could allow an attacker to cause denial of service condition. A manual restart is required to recover the system.

AnalysisAI

Denial of service in Siemens industrial networking equipment allows remote unauthenticated attackers to crash affected devices via specially crafted IPv4 packets, requiring manual restart for recovery. This vulnerability affects over 200 Siemens industrial automation products including SCALANCE switches/routers, SIMATIC PLCs, SINAMICS drives, and RUGGEDCOM devices. CVSS 4.0 score of 8.7 reflects high availability impact (VA:H) with network-accessible attack vector requiring low complexity and no privileges (AV:N/AC:L/PR:N). No public exploit code or CISA KEV listing identified at time of analysis, though the straightforward network-based attack and widespread product exposure warrant priority patching for operational technology environments where uptime is critical.

Technical ContextAI

This vulnerability stems from a null pointer dereference (CWE-476) in IPv4 packet processing code shared across Siemens industrial automation platforms. The affected CPE strings span SCALANCE industrial Ethernet switches (M-series routers, X-series switches, W-series wireless), SIMATIC programmable logic controllers (S7-300/400/1500 series CPUs), SINAMICS motor drives (G120/G130/S120/S150), RUGGEDCOM ruggedized networking equipment, IE/PB communication links, and SITOP industrial power supplies with embedded networking. A null pointer dereference occurs when software attempts to access memory through a pointer that has not been properly initialized or validated, causing immediate process termination. In network protocol stacks, this typically happens when malformed packets trigger edge cases in parsing logic where expected data structures are absent. The vulnerability affects firmware versions prior to V8.3 in networking products and unpatched versions across the PLC/drive product lines, suggesting a common networking stack component shared across Siemens industrial portfolio. The network-accessible nature (AV:N) and lack of authentication requirement (PR:N) make this particularly concerning for industrial control systems that often have limited segmentation.

RemediationAI

Apply vendor-released firmware updates per Siemens Security Advisory SSA-392349 available at https://cert-portal.siemens.com/productcert/html/ssa-392349.html. For SCALANCE networking products, upgrade to firmware version V8.3 or later (applies to M-series routers M804PB/M812/M816/M826/M874/M876/MUB/MUM, S615 routers, RUGGEDCOM RM1224). For SCALANCE W-series wireless access points, upgrade to V6.6.0 or later (W7xx models) or V3.2.0 or later (WAM7xx models). For SIMATIC S7-410 V10 CPU family, upgrade to firmware V10.2 or later. For SIMATIC ET 200SP HA IM155-6 PN, upgrade to V1.3 or later. For SIMATIC CFU devices, upgrade CFU DIQ and CFU PA to V2.0.0 or later. Many affected products (particularly older S7-300/400 CPUs, SINAMICS drives, and various SCALANCE X-series switches) show no upper version bound in EUVD data, indicating patches may not yet be available for all variants - consult Siemens advisory for product-specific remediation status. Compensating controls for unpatched devices: implement strict network segmentation isolating affected industrial devices from untrusted networks using firewalls or VLANs (reduces attack surface but requires network redesign and may complicate remote access), deploy intrusion detection systems monitoring for malformed IPv4 packets targeting affected devices (provides visibility but does not prevent exploitation), restrict IPv4 network access to affected devices using access control lists permitting only known-good IP addresses (effective for static environments but breaks dynamic manufacturing operations), and establish out-of-band management access for rapid recovery after denial-of-service events (mitigates impact of manual restart requirement but does not prevent downtime). Advisory recommends applying cell protection concept and defense-in-depth strategies per Siemens Industrial Security guidelines.

Share

CVE-2025-40833 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy