Skip to main content

Siemens SCALANCE CVE-2025-40833

| EUVDEUVD-2025-209778 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-12 siemens GHSA-9483-pcvr-wj53
Denial Of Service Null Pointer Dereference Ie Pb Link Ha Ie Pb Link Pn Io Ruggedcom Rm1224 Lte 4G Eu Ruggedcom Rm1224 Lte 4G Nam Scalance M804Pb Scalance M812 1 Adsl Router Scalance M816 1 Adsl Router Scalance M826 2 Shdsl Router Scalance M874 2 Scalance M874 3 Scalance M874 3 3G Router Cn Scalance M876 3 Scalance M876 3 Rok Scalance M876 4 Scalance M876 4 Eu Scalance M876 4 Nam Scalance Mub852 1 A1 Scalance Mub852 1 B1 Scalance Mum853 1 A1 Scalance Mum853 1 B1 Scalance Mum853 1 Eu Scalance Mum856 1 A1 Scalance Mum856 1 B1 Scalance Mum856 1 Cn Scalance Mum856 1 Eu Scalance Mum856 1 Row Scalance S615 Eec Lan Router Scalance S615 Lan Router Scalance Sc622 2C Scalance Sc626 2C Scalance Sc632 2C Scalance Sc636 2C Scalance Sc642 2C Scalance Sc646 2C Scalance W1748 1 M12 Scalance W1788 1 M12 Scalance W1788 2 Eec M12 Scalance W1788 2 M12 Scalance W1788 2Ia M12 Scalance W721 1 Rj45 Scalance W722 1 Rj45 Scalance W734 1 Rj45 Scalance W734 1 Rj45 Usa Scalance W738 1 M12 Scalance W748 1 M12 Scalance W748 1 Rj45 Scalance W761 1 Rj45 Scalance W774 1 M12 Eec Scalance W774 1 Rj45 Scalance W774 1 Rj45 Usa Scalance W778 1 M12 Scalance W778 1 M12 Eec Scalance W778 1 M12 Eec Usa Scalance W786 1 Rj45 Scalance W786 2 Rj45 Scalance W786 2 Sfp Scalance W786 2Ia Rj45 Scalance W788 1 M12 Scalance W788 1 Rj45 Scalance W788 2 M12 Scalance W788 2 M12 Eec Scalance W788 2 Rj45 Scalance Wab762 1 Scalance Wam763 1 Scalance Wam763 1 Me Scalance Wam763 1 Us Scalance Wam766 1 Scalance Wam766 1 Me Scalance Wam766 1 Us Scalance Wam766 1 Eec Scalance Wam766 1 Eec Me Scalance Wam766 1 Eec Us Scalance Wub762 1 Scalance Wub762 1 Ifeatures Scalance Wum763 1 Scalance Wum763 1 Us Scalance Wum766 1 Scalance Wum766 1 Me Scalance Wum766 1 Usa Scalance X204 2 Scalance X204 2Fm Scalance X204 2Ld Scalance X204 2Ld Ts Scalance X204 2Ts Scalance X206 1 Scalance X206 1Ld Scalance X208 Scalance X208Pro Scalance X212 2 Scalance X212 2Ld Scalance X216 Scalance X224 Scalance X302 7 Eec 230V Coated Scalance X302 7 Eec 230V Scalance X302 7 Eec 24V Coated Scalance X302 7 Eec 24V Scalance X302 7 Eec 2X 230V Coated Scalance X302 7 Eec 2X 230V Scalance X302 7 Eec 2X 24V Coated Scalance X302 7 Eec 2X 24V Scalance X304 2Fe Scalance X306 1Ld Fe Scalance X307 2 Eec 230V Coated Scalance X307 2 Eec 230V Scalance X307 2 Eec 24V Coated Scalance X307 2 Eec 24V Scalance X307 2 Eec 2X 230V Coated Scalance X307 2 Eec 2X 230V Scalance X307 2 Eec 2X 24V Coated Scalance X307 2 Eec 2X 24V Scalance X307 3 Scalance X307 3Ld Scalance X308 2 Scalance X308 2 Rd Inkl Siplus Variants Scalance X308 2Ld Scalance X308 2Lh Scalance X308 2M Scalance X308 2M Poe Scalance X308 2M Ts Scalance X310 Scalance X310Fe Scalance X320 1 Fe Scalance X320 1 2Ld Fe Scalance X408 2 Scalance Xf204 Scalance Xf204 2 Scalance Xf206 1 Scalance Xf208 Scalance Xm408 4C Scalance Xm408 4C L3 Int Scalance Xm408 8C Scalance Xm408 8C L3 Int Scalance Xm416 4C Scalance Xm416 4C L3 Int Scalance Xr324 12M 230V Ports On Front Scalance Xr324 12M 230V Ports On Rear Scalance Xr324 12M 24V Ports On Front Scalance Xr324 12M 24V Ports On Rear Scalance Xr324 12M Ts 24V Scalance Xr324 4M Eec 100 240Vac 60 250Vdc Ports On Front Scalance Xr324 4M Eec 100 240Vac 60 250Vdc Ports On Rear Scalance Xr324 4M Eec 24V Ports On Front Scalance Xr324 4M Eec 24V Ports On Rear Scalance Xr324 4M Eec 2X 100 240Vac 60 250Vdc Ports On Front Scalance Xr324 4M Eec 2X 100 240Vac 60 250Vdc Ports On Rear Scalance Xr324 4M Eec 2X 24V Ports On Front Scalance Xr324 4M Eec 2X 24V Ports On Rear Scalance Xr324 4M Poe 230V Ports On Front Scalance Xr324 4M Poe 230V Ports On Rear Scalance Xr324 4M Poe 24V Ports On Front Scalance Xr324 4M Poe 24V Ports On Rear Scalance Xr324 4M Poe Ts 24V Ports On Front Scalance Xr524 8C 1X230V Scalance Xr524 8C 1X230V L3 Int Scalance Xr524 8C 24V Scalance Xr524 8C 24V L3 Int Scalance Xr524 8C 2X230V Scalance Xr524 8C 2X230V L3 Int Scalance Xr526 8C 1X230V Scalance Xr526 8C 1X230V L3 Int Scalance Xr526 8C 24V Scalance Xr526 8C 24V L3 Int Scalance Xr526 8C 2X230V Scalance Xr526 8C 2X230V L3 Int Scalance Xr528 6M Scalance Xr528 6M 2Hr2 L3 Int Scalance Xr528 6M 2Hr2 Scalance Xr528 6M L3 Int Scalance Xr552 12M Scalance Xr552 12M 2Hr2 L3 Int Scalance Xr552 12M 2Hr2 Simatic Cfu Diq Simatic Cfu Pa Simatic Et 200Pro Im 154 8 Pn Dp Cpu Simatic Et 200Pro Im 154 8F Pn Dp Cpu Simatic Et 200Pro Im 154 8Fx Pn Dp Cpu Simatic Et 200S Im 151 8 Pn Dp Cpu Simatic Et 200S Im 151 8F Pn Dp Cpu Simatic Et 200Sp Cpu 1510Sp F 1 Pn Simatic Et 200Sp Cpu 1510Sp 1 Pn Simatic Et 200Sp Cpu 1512Sp F 1 Pn Simatic Et 200Sp Cpu 1512Sp 1 Pn Simatic Et 200Sp Ha Im155 6 Pn Simatic S7 1500 Cpu 1511 1 Pn Simatic S7 1500 Cpu 1511F 1 Pn Simatic S7 1500 Cpu 1513 1 Pn Simatic S7 1500 Cpu 1515 2 Pn Simatic S7 1500 Cpu 1515F 2 Pn Simatic S7 1500 Cpu 1516 3 Pn Dp Simatic S7 1500 Cpu 1516F 3 Pn Dp Simatic S7 300 Cpu 314C 2 Pn Dp Simatic S7 300 Cpu 315 2 Pn Dp Simatic S7 300 Cpu 315F 2 Pn Dp Simatic S7 300 Cpu 315T 3 Pn Dp Simatic S7 300 Cpu 317 2 Pn Dp Simatic S7 300 Cpu 317F 2 Pn Dp Simatic S7 300 Cpu 317T 3 Pn Dp Simatic S7 300 Cpu 317Tf 3 Pn Dp Simatic S7 300 Cpu 319 3 Pn Dp Simatic S7 300 Cpu 319F 3 Pn Dp Simatic S7 400 Cpu 412 2 Pn V7 Simatic S7 400 Cpu 414 3 Pn Dp V7 Simatic S7 400 Cpu 414F 3 Pn Dp V7 Simatic S7 400 Cpu 416 3 Pn Dp V7 Simatic S7 400 Cpu 416F 3 Pn Dp V7 Simatic S7 400 H V6 Cpu Family Incl Siplus Variants Simatic S7 410 V10 Cpu Family Incl Siplus Variants Simatic S7 410 V8 Cpu Family Incl Siplus Variants Simit Unit V10 Simit Unit V11 Sinamics Cbe20 Sinamics G115D Sinamics G120 Incl Siplus Variants Sinamics G120C Sinamics G120D Sinamics G120X Sinamics G120Xa Sinamics G130 Sinamics G150 Sinamics S110 Sinamics S120 Incl Siplus Variants Sinamics S150 Sinumerik 840D Sl Siplus Et 200S Im 151 8 Pn Dp Cpu Siplus Et 200S Im 151 8F Pn Dp Cpu Siplus Net Ie Pb Link Pn Io Siplus S7 300 Cpu 314C 2 Pn Dp Siplus S7 300 Cpu 315 2 Pn Dp Siplus S7 300 Cpu 315F 2 Pn Dp Siplus S7 300 Cpu 317 2 Pn Dp Siplus S7 300 Cpu 317F 2 Pn Dp Siplus S7 400 Cpu 414 3 Pn Dp V7 Siplus S7 400 Cpu 416 3 Pn Dp V7 Sitop Psu8600 1Ac 20 A 4X5 A Pn Sitop Psu8600 3Ac 20 A Pn Sitop Psu8600 3Ac 20 A 4X5 A Pn Sitop Psu8600 3Ac 40 A Pn Sitop Psu8600 3Ac 40 A 4X10 A Pn Sitop Psu8600 3Ac 40 A 4X10A Eip Sitop Ups1600 10 A Ethernet Profinet Sitop Ups1600 20 A Ethernet Profinet Sitop Ups1600 40 A Ethernet Profinet Sitop Ups1600 Ex 20 A Ethernet Profinet
8.7
CVSS 4.0 · Vendor: siemens
Share

Severity by source

Vendor (siemens) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (siemens) · only source for this CVE.

CVSS VectorVendor: siemens

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 12, 2026 - 10:40 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 12, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 10:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
May 12, 2026 - 10:01 vuln.today
CVE Published
May 12, 2026 - 08:20 nvd
HIGH 7.5

DescriptionCVE.org

The affected devices contain a null pointer dereference vulnerability while processing specially crafted IPv4 requests. This could allow an attacker to cause denial of service condition. A manual restart is required to recover the system.

AnalysisAI

Denial of service in Siemens industrial networking equipment allows remote unauthenticated attackers to crash affected devices via specially crafted IPv4 packets, requiring manual restart for recovery. This vulnerability affects over 200 Siemens industrial automation products including SCALANCE switches/routers, SIMATIC PLCs, SINAMICS drives, and RUGGEDCOM devices. CVSS 4.0 score of 8.7 reflects high availability impact (VA:H) with network-accessible attack vector requiring low complexity and no privileges (AV:N/AC:L/PR:N). No public exploit code or CISA KEV listing identified at time of analysis, though the straightforward network-based attack and widespread product exposure warrant priority patching for operational technology environments where uptime is critical.

Technical ContextAI

This vulnerability stems from a null pointer dereference (CWE-476) in IPv4 packet processing code shared across Siemens industrial automation platforms. The affected CPE strings span SCALANCE industrial Ethernet switches (M-series routers, X-series switches, W-series wireless), SIMATIC programmable logic controllers (S7-300/400/1500 series CPUs), SINAMICS motor drives (G120/G130/S120/S150), RUGGEDCOM ruggedized networking equipment, IE/PB communication links, and SITOP industrial power supplies with embedded networking. A null pointer dereference occurs when software attempts to access memory through a pointer that has not been properly initialized or validated, causing immediate process termination. In network protocol stacks, this typically happens when malformed packets trigger edge cases in parsing logic where expected data structures are absent. The vulnerability affects firmware versions prior to V8.3 in networking products and unpatched versions across the PLC/drive product lines, suggesting a common networking stack component shared across Siemens industrial portfolio. The network-accessible nature (AV:N) and lack of authentication requirement (PR:N) make this particularly concerning for industrial control systems that often have limited segmentation.

RemediationAI

Apply vendor-released firmware updates per Siemens Security Advisory SSA-392349 available at https://cert-portal.siemens.com/productcert/html/ssa-392349.html. For SCALANCE networking products, upgrade to firmware version V8.3 or later (applies to M-series routers M804PB/M812/M816/M826/M874/M876/MUB/MUM, S615 routers, RUGGEDCOM RM1224). For SCALANCE W-series wireless access points, upgrade to V6.6.0 or later (W7xx models) or V3.2.0 or later (WAM7xx models). For SIMATIC S7-410 V10 CPU family, upgrade to firmware V10.2 or later. For SIMATIC ET 200SP HA IM155-6 PN, upgrade to V1.3 or later. For SIMATIC CFU devices, upgrade CFU DIQ and CFU PA to V2.0.0 or later. Many affected products (particularly older S7-300/400 CPUs, SINAMICS drives, and various SCALANCE X-series switches) show no upper version bound in EUVD data, indicating patches may not yet be available for all variants - consult Siemens advisory for product-specific remediation status. Compensating controls for unpatched devices: implement strict network segmentation isolating affected industrial devices from untrusted networks using firewalls or VLANs (reduces attack surface but requires network redesign and may complicate remote access), deploy intrusion detection systems monitoring for malformed IPv4 packets targeting affected devices (provides visibility but does not prevent exploitation), restrict IPv4 network access to affected devices using access control lists permitting only known-good IP addresses (effective for static environments but breaks dynamic manufacturing operations), and establish out-of-band management access for rapid recovery after denial-of-service events (mitigates impact of manual restart requirement but does not prevent downtime). Advisory recommends applying cell protection concept and defense-in-depth strategies per Siemens Industrial Security guidelines.

Share

CVE-2025-40833 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy