CVE-2025-40556
📋 TL;DR
A vulnerability in Siemens BACnet ATEC 550 series devices allows attackers on the same BACnet network to send specially crafted MSTP messages that cause denial of service. Affected devices require a power cycle to recover normal operation. This impacts all versions of BACnet ATEC 550-440, 550-441, 550-445, and 550-441 devices.
💻 Affected Systems
- BACnet ATEC 550-440
- BACnet ATEC 550-441
- BACnet ATEC 550-445
- BACnet ATEC 550-446
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Critical building automation systems become unavailable, requiring physical access to power cycle devices, potentially disrupting HVAC, lighting, or security systems.
Likely Case
Targeted devices become unresponsive, requiring manual intervention and downtime for affected building systems.
If Mitigated
Network segmentation prevents attackers from reaching vulnerable devices, limiting impact to isolated segments.
🎯 Exploit Status
Exploitation requires network access to BACnet MSTP segment but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Siemens advisory for specific firmware updates
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-828116.html
Restart Required: Yes
Instructions:
1. Check Siemens advisory for firmware updates. 2. Download appropriate firmware. 3. Apply update following vendor instructions. 4. Restart device.
🔧 Temporary Workarounds
Network Segmentation
allIsolate BACnet MSTP networks from other network segments using firewalls or VLANs.
Physical Access Control
allRestrict physical access to BACnet network connections and devices.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate BACnet MSTP networks
- Monitor network traffic for unusual BACnet MSTP patterns and implement physical security controls
🔍 How to Verify
Check if Vulnerable:
Check device model and firmware version against Siemens advisory SSA-828116Check Version:
Consult device documentation for firmware version check procedure (typically via web interface or serial connection)Verify Fix Applied:
Verify firmware version has been updated to patched version specified in Siemens advisory📡 Detection & Monitoring
Log Indicators:
- Device becoming unresponsive
- BACnet communication failures
- Unexpected device restarts
Network Indicators:
- Unusual BACnet MSTP traffic patterns
- Multiple malformed MSTP packets from single source
SIEM Query:
BACnet MSTP protocol anomalies OR device_unresponsive events from building automation systems