Skip to main content

SIMATIC ET 200 CVE-2025-40944

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-01-13 productcert@siemens.com
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 09, 2026 - 10:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 09, 2026 - 10:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 09, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
Jun 09, 2026 - 10:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 13, 2026 - 10:15 nvd
HIGH 7.5

DescriptionCVE.org

A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants) (All versions < V1.3), SIMATIC ET 200SP IM 155-6 PN R1 (6ES7155-6AU00-0HM0) (All versions < V6.0.1), SIMATIC ET 200SP IM 155-6 PN/2 HF (6ES7155-6AU01-0CN0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0) (All versions < V4.2.2), SIMATIC PN/MF Coupler (6ES7158-3MU10-0XA0) (All versions), SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0) (All versions < V6.0.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-2AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-7AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL (6AG2155-5AA00-1AC0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-2CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-7CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU01-1CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF TX RAIL (6AG2155-6AU01-4CN0) (All versions >= V4.2.0), SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0) (All versions < V6.0.0). Affected devices do not properly handle S7 protocol session disconnect requests. When receiving a valid S7 protocol Disconnect Request (COTP DR TPDU) on TCP port 102, the devices enter an improper session state.

This could allow an attacker to cause the device to become unresponsive, leading to a denial-of-service condition that requires a power cycle to restore normal operation.

AnalysisAI

Denial of service in Siemens SIMATIC ET 200 family PROFINET interface modules and PN/PN couplers allows remote unauthenticated attackers to render industrial controllers unresponsive by sending a single malformed S7 protocol Disconnect Request to TCP/102. The CVSS 4.0 score of 8.7 reflects the network-reachable, no-privileges-required vector against availability-critical OT assets, though EPSS is only 0.02% and no public exploit has been identified at time of analysis. Recovery requires a physical power cycle, which is operationally severe in plant environments.

Technical ContextAI

The affected devices are Siemens SIMATIC ET 200AL/MP/SP distributed I/O interface modules (and SIPLUS hardened variants) plus SIMATIC PN/PN and PN/MF Couplers that bridge PROFINET network segments. They speak the S7 communication protocol over ISO-on-TCP (RFC 1006), where ISO 8073 COTP TPDUs are encapsulated in TCP segments to port 102. The flaw is a CWE-400 Uncontrolled Resource Consumption: when the firmware receives a valid COTP Disconnect Request (DR) TPDU, the session state machine transitions into an improper state rather than cleanly tearing down the connection, exhausting or wedging the resource that handles further session establishment until the module is power-cycled.

Affected ProductsAI

Affected Siemens devices, per Siemens advisory SSA-674753 (https://cert-portal.siemens.com/productcert/html/ssa-674753.html), include SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0, all versions); SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0, all versions ≥ V4.2.0); SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0, all versions); SIMATIC ET 200SP IM 155-6 PN HA including SIPLUS variants (all versions < V1.3); SIMATIC ET 200SP IM 155-6 PN R1 (6ES7155-6AU00-0HM0, all versions < V6.0.1); SIMATIC ET 200SP IM 155-6 PN/2 HF (6ES7155-6AU01-0CN0, all versions ≥ V4.2.0); SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0, all versions < V4.2.2); SIMATIC PN/MF Coupler (6ES7158-3MU10-0XA0, all versions); SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0, all versions < V6.0.0); and the corresponding SIPLUS ET 200MP/SP and SIPLUS NET PN/PN Coupler variants (6AG1155-5AA00-2AC0, -7AC0; 6AG2155-5AA00-1AC0; 6AG1155-6AU01-2CN0, -7CN0; 6AG2155-6AU01-1CN0, -4CN0; 6AG2158-3AD10-4XA0) at the same firmware boundaries as their SIMATIC counterparts.

RemediationAI

Where Siemens has shipped a fixed firmware (ET 200SP IM 155-6 PN HA to V1.3 or later, IM 155-6 PN R1 to V6.0.1 or later, IM 155-6 PN/3 HF to V4.2.2 or later, PN/PN Coupler and SIPLUS NET PN/PN Coupler to V6.0.0 or later), upgrade the affected modules to those versions per Siemens ProductCERT advisory SSA-674753 (https://cert-portal.siemens.com/productcert/html/ssa-674753.html). For the products listed with no fixed version (ET 200AL IM 157-1 PN, ET 200MP IM 155-5 PN HF ≥ V4.2.0, ET 200SP IM 155-6 MF HF, ET 200SP IM 155-6 PN/2 HF ≥ V4.2.0, PN/MF Coupler, and the matching SIPLUS variants), follow Siemens' operational guidance: restrict network access to TCP/102 on the PROFINET interface so only engineering workstations and PLCs that legitimately need S7 communications can reach it, place the cells behind a firewall or data diode at the IT/OT boundary, and enforce Siemens' general ICS hardening guidelines. The trade-off of blocking TCP/102 is that legitimate engineering tools (TIA Portal, STEP 7) and any peer S7 communications must traverse the allowlist, so cell-level segmentation rather than a blanket block is usually the workable control; monitor for unexpected COTP DR traffic as a detection compensating measure.

Share

CVE-2025-40944 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy