CVE-2025-40555 is a medium-severity vulnerability affecting Siemens APOGEE PXC+TALON TC Series devices that use the BACnet protocol. The issue arises when the device processes a specially crafted BACnet createObject request, causing it to start sending unsolicited BACnet broadcast messages. This behavior violates expected protocol operations (CWE-440: Expected Behavior Violation). An attacker located within the same BACnet network can exploit this flaw to trigger a partial denial of service (DoS) condition on the targeted device. The DoS manifests as a disruption in device availability and potentially degrades the overall BACnet network's availability. Recovery from this state requires a manual power cycle of the affected device. The vulnerability does not affect confidentiality or integrity but impacts availability. It requires no privileges or user interaction to exploit, but the attacker must have access to the BACnet network segment. Siemens has not yet released a patch, and no known exploits are currently in the wild. The CVSS v3.1 base score is 4.7, reflecting a medium severity level, with attack vector as adjacent network, low attack complexity, no privileges required, no user interaction, and scope changed due to potential network-wide impact.

For European organizations, especially those in critical infrastructure sectors such as energy, manufacturing, and building automation, this vulnerability poses a risk to operational continuity. Siemens APOGEE PXC+TALON TC Series devices are commonly used in building management and industrial control systems across Europe. An attacker exploiting this vulnerability could cause partial denial of service on these devices, leading to disruptions in HVAC, lighting, or other automated controls. This could result in operational inefficiencies, increased energy costs, or safety concerns in sensitive environments. The requirement for a power cycle to restore normal operation means that automated recovery is not possible, potentially causing prolonged downtime. While the vulnerability does not allow data theft or manipulation, the availability impact on critical control systems could have cascading effects on business operations and safety compliance.

European organizations should immediately identify and inventory all Siemens APOGEE PXC+TALON TC Series devices on their BACnet networks. Network segmentation should be enforced to isolate BACnet devices from general IT networks and restrict access to trusted management stations only. Implement strict network access controls and monitoring for unusual BACnet createObject requests or unexpected broadcast traffic. Since no patch is currently available, consider deploying network-level BACnet protocol anomaly detection tools to detect and block malformed or unexpected BACnet messages. Establish procedures for rapid manual intervention, including power cycling affected devices if a DoS condition is detected. Engage with Siemens support channels for updates on patches or firmware upgrades. Additionally, review and harden BACnet device configurations to minimize exposure to unsolicited requests and disable unnecessary BACnet services where possible.