CVE-2025-40578
📋 TL;DR
A denial-of-service vulnerability in Siemens SCALANCE LPE9403 devices allows unauthenticated remote attackers to crash the dcpd process by sending multiple Profinet packets in rapid succession. This affects all versions of the SCALANCE LPE9403 (6GK5998-3GS00-2AC2) industrial networking device. The vulnerability can disrupt Profinet communication on affected devices.
💻 Affected Systems
- Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of Profinet communication on the affected device, requiring manual restart and potentially causing production downtime in industrial environments.
Likely Case
Temporary loss of Profinet connectivity on the affected device, disrupting industrial automation processes until the dcpd process restarts or the device is rebooted.
If Mitigated
Minimal impact with proper network segmentation and access controls preventing unauthorized access to Profinet ports.
🎯 Exploit Status
The vulnerability requires sending multiple Profinet packets in rapid succession, which is trivial to implement with basic networking tools. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Siemens advisory for specific firmware updates
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-327438.html
Restart Required: Yes
Instructions:
1. Check Siemens advisory SSA-327438 for latest firmware updates. 2. Download appropriate firmware from Siemens Support. 3. Follow SCALANCE LPE9403 firmware update procedure. 4. Verify firmware version after update. 5. Test Profinet functionality.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to Profinet ports (34962-34964) to only authorized devices and networks
Firewall Rules
allImplement firewall rules to limit which devices can communicate with SCALANCE LPE9403 on Profinet ports
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SCALANCE devices from untrusted networks
- Deploy network monitoring to detect and alert on abnormal Profinet traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check device model and part number matches 6GK5998-3GS00-2AC2. All versions of this specific model are vulnerable.Check Version:
Check via SCALANCE web interface or CLI: show versionVerify Fix Applied:
Verify firmware version against Siemens advisory SSA-327438. Test by attempting to send rapid Profinet packets and monitoring dcpd process stability.📡 Detection & Monitoring
Log Indicators:
- dcpd process crashes or restarts
- Profinet communication errors
- Device reboot events
Network Indicators:
- High volume of Profinet packets from single source
- Abnormal Profinet traffic patterns
- Multiple DCP packets in rapid succession
SIEM Query:
source_port:34962-34964 AND packet_count > threshold AND time_window < 1s