CVE-2025-40944
📋 TL;DR
This vulnerability affects multiple Siemens SIMATIC industrial control system modules. An attacker can send a specially crafted S7 protocol disconnect request to TCP port 102, causing affected devices to become unresponsive and require a power cycle to restore functionality.
💻 Affected Systems
- SIMATIC ET 200AL IM 157-1 PN
- SIMATIC ET 200MP IM 155-5 PN HF
- SIMATIC ET 200SP IM 155-6 MF HF
- SIMATIC ET 200SP IM 155-6 PN HA
- SIMATIC ET 200SP IM 155-6 PN R1
- SIMATIC ET 200SP IM 155-6 PN/2 HF
- SIMATIC ET 200SP IM 155-6 PN/3 HF
- SIMATIC PN/MF Coupler
- SIMATIC PN/PN Coupler
- SIPLUS ET 200MP IM 155-5 PN HF variants
- SIPLUS ET 200SP IM 155-6 PN HF variants
- SIPLUS NET PN/PN Coupler
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service affecting industrial processes, requiring physical power cycling of devices to restore operations, potentially disrupting manufacturing or critical infrastructure.
Likely Case
Targeted devices become unresponsive, disrupting specific industrial automation functions until manually reset.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated network segments.
🎯 Exploit Status
Exploitation requires sending a valid S7 protocol Disconnect Request (COTP DR TPDU) to TCP port 102, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by product - see Siemens advisory SSA-674753 for specific version updates
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-674753.html
Restart Required: Yes
Instructions:
1. Review Siemens advisory SSA-674753 for affected products and fixed versions. 2. Download appropriate firmware updates from Siemens support portal. 3. Apply firmware updates following Siemens documentation. 4. Power cycle devices after update completion.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices in separate network segments with strict access controls
Firewall Rules
allRestrict access to TCP port 102 to only trusted engineering stations and controllers
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected devices
- Deploy intrusion detection systems to monitor for S7 protocol anomalies on port 102
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against affected versions listed in Siemens advisory SSA-674753Check Version:
Use Siemens TIA Portal or device web interface to check firmware versionVerify Fix Applied:
Verify firmware version has been updated to fixed versions specified in Siemens advisory📡 Detection & Monitoring
Log Indicators:
- Unexpected device disconnections
- Multiple S7 disconnect requests from single source
- Device requiring power cycles
Network Indicators:
- Unusual S7 protocol traffic patterns on port 102
- Multiple COTP DR TPDU packets from non-trusted sources
SIEM Query:
source_port:102 AND protocol:S7 AND (packet_type:DR OR disconnect_request)