CVE-2025-40944: CWE-400: Uncontrolled Resource Consumption in Siemens SIMATIC ET 200AL IM 157-1 PN
CVE-2025-40944 is a high-severity vulnerability affecting multiple Siemens SIMATIC ET 200 series industrial communication modules. The flaw arises from improper handling of S7 protocol Disconnect Requests on TCP port 102, causing devices to enter an improper session state. This leads to uncontrolled resource consumption, rendering the device unresponsive and causing a denial-of-service (DoS) condition that requires a power cycle to recover. No authentication or user interaction is needed to exploit this vulnerability, and it impacts availability without affecting confidentiality or integrity. The vulnerability affects a broad range of Siemens ET 200AL, ET 200MP, ET 200SP, and related SIPLUS variants, which are widely deployed in industrial automation environments. Although no known exploits are currently in the wild, the ease of exploitation and critical impact on availability make this a significant threat. European organizations relying on Siemens industrial control systems (ICS) for manufacturing, utilities, and critical infrastructure are at risk. Mitigation requires Siemens firmware updates once available, network segmentation, strict access controls to TCP port 102, and monitoring for anomalous S7 Disconnect Requests. Countries with strong industrial sectors and Siemens ICS market penetration, such as Germany, France, Italy, and the UK, are most likely to be affected.
AI Analysis
Technical Summary
CVE-2025-40944 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) found in multiple Siemens SIMATIC ET 200 series communication modules, including ET 200AL IM 157-1 PN, ET 200MP IM 155-5 PN HF, ET 200SP IM 155-6 variants, and SIPLUS versions. The root cause is improper handling of valid S7 protocol Disconnect Requests (COTP DR TPDU) received on TCP port 102, the standard port for Siemens S7 communication. When these devices receive such a disconnect request, they enter an improper session state that leads to resource exhaustion. This state causes the device to become unresponsive, effectively resulting in a denial-of-service condition. Recovery from this state requires a manual power cycle, which disrupts industrial processes relying on these devices. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The CVSS v3.1 score is 7.5 (high severity), reflecting the network attack vector, no privileges required, no user interaction, and a high impact on availability. The vulnerability affects all versions of some devices and specific version ranges of others, indicating a widespread exposure across Siemens’ industrial communication product line. No patches or exploits are currently publicly available, but the broad impact on critical ICS components makes this a significant concern for operational technology (OT) environments.
Potential Impact
The primary impact of CVE-2025-40944 is a denial-of-service condition that disrupts the availability of Siemens SIMATIC ET 200 series modules, which are integral components in industrial automation and control systems. For European organizations, especially those in manufacturing, energy, utilities, and critical infrastructure sectors, this can lead to operational downtime, production losses, safety risks, and potential cascading failures in automated processes. Since these devices often operate in safety-critical environments, unplanned outages could also pose risks to personnel and equipment. The requirement for a manual power cycle to restore functionality means that automated recovery is not possible, increasing incident response complexity and downtime. The vulnerability’s ease of exploitation over the network without authentication elevates the risk of targeted attacks or opportunistic scanning by threat actors. Given Siemens’ strong market presence in Europe, the impact could be widespread, affecting both large industrial enterprises and smaller operators relying on these devices.
Mitigation Recommendations
1. Monitor Siemens’ official channels for firmware updates addressing CVE-2025-40944 and apply patches promptly once available. 2. Implement strict network segmentation to isolate industrial control networks from corporate and external networks, limiting access to TCP port 102. 3. Deploy access control lists (ACLs) and firewall rules to restrict inbound traffic to only trusted management stations and authorized devices. 4. Use deep packet inspection (DPI) or protocol-aware intrusion detection/prevention systems (IDS/IPS) to detect and block anomalous or malformed S7 Disconnect Requests. 5. Conduct regular network traffic monitoring and anomaly detection focused on S7 protocol communications to identify potential exploitation attempts early. 6. Establish operational procedures for rapid response and manual power cycling of affected devices to minimize downtime. 7. Train OT security teams on this vulnerability and ensure incident response plans include scenarios for DoS conditions affecting Siemens ET 200 modules. 8. Consider deploying redundant or failover systems where possible to maintain operational continuity during device outages.
Affected Countries
Germany, France, Italy, United Kingdom, Spain, Netherlands, Belgium, Poland, Sweden, Finland
CVE-2025-40944: CWE-400: Uncontrolled Resource Consumption in Siemens SIMATIC ET 200AL IM 157-1 PN
Description
CVE-2025-40944 is a high-severity vulnerability affecting multiple Siemens SIMATIC ET 200 series industrial communication modules. The flaw arises from improper handling of S7 protocol Disconnect Requests on TCP port 102, causing devices to enter an improper session state. This leads to uncontrolled resource consumption, rendering the device unresponsive and causing a denial-of-service (DoS) condition that requires a power cycle to recover. No authentication or user interaction is needed to exploit this vulnerability, and it impacts availability without affecting confidentiality or integrity. The vulnerability affects a broad range of Siemens ET 200AL, ET 200MP, ET 200SP, and related SIPLUS variants, which are widely deployed in industrial automation environments. Although no known exploits are currently in the wild, the ease of exploitation and critical impact on availability make this a significant threat. European organizations relying on Siemens industrial control systems (ICS) for manufacturing, utilities, and critical infrastructure are at risk. Mitigation requires Siemens firmware updates once available, network segmentation, strict access controls to TCP port 102, and monitoring for anomalous S7 Disconnect Requests. Countries with strong industrial sectors and Siemens ICS market penetration, such as Germany, France, Italy, and the UK, are most likely to be affected.
AI-Powered Analysis
Technical Analysis
CVE-2025-40944 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) found in multiple Siemens SIMATIC ET 200 series communication modules, including ET 200AL IM 157-1 PN, ET 200MP IM 155-5 PN HF, ET 200SP IM 155-6 variants, and SIPLUS versions. The root cause is improper handling of valid S7 protocol Disconnect Requests (COTP DR TPDU) received on TCP port 102, the standard port for Siemens S7 communication. When these devices receive such a disconnect request, they enter an improper session state that leads to resource exhaustion. This state causes the device to become unresponsive, effectively resulting in a denial-of-service condition. Recovery from this state requires a manual power cycle, which disrupts industrial processes relying on these devices. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The CVSS v3.1 score is 7.5 (high severity), reflecting the network attack vector, no privileges required, no user interaction, and a high impact on availability. The vulnerability affects all versions of some devices and specific version ranges of others, indicating a widespread exposure across Siemens’ industrial communication product line. No patches or exploits are currently publicly available, but the broad impact on critical ICS components makes this a significant concern for operational technology (OT) environments.
Potential Impact
The primary impact of CVE-2025-40944 is a denial-of-service condition that disrupts the availability of Siemens SIMATIC ET 200 series modules, which are integral components in industrial automation and control systems. For European organizations, especially those in manufacturing, energy, utilities, and critical infrastructure sectors, this can lead to operational downtime, production losses, safety risks, and potential cascading failures in automated processes. Since these devices often operate in safety-critical environments, unplanned outages could also pose risks to personnel and equipment. The requirement for a manual power cycle to restore functionality means that automated recovery is not possible, increasing incident response complexity and downtime. The vulnerability’s ease of exploitation over the network without authentication elevates the risk of targeted attacks or opportunistic scanning by threat actors. Given Siemens’ strong market presence in Europe, the impact could be widespread, affecting both large industrial enterprises and smaller operators relying on these devices.
Mitigation Recommendations
1. Monitor Siemens’ official channels for firmware updates addressing CVE-2025-40944 and apply patches promptly once available. 2. Implement strict network segmentation to isolate industrial control networks from corporate and external networks, limiting access to TCP port 102. 3. Deploy access control lists (ACLs) and firewall rules to restrict inbound traffic to only trusted management stations and authorized devices. 4. Use deep packet inspection (DPI) or protocol-aware intrusion detection/prevention systems (IDS/IPS) to detect and block anomalous or malformed S7 Disconnect Requests. 5. Conduct regular network traffic monitoring and anomaly detection focused on S7 protocol communications to identify potential exploitation attempts early. 6. Establish operational procedures for rapid response and manual power cycling of affected devices to minimize downtime. 7. Train OT security teams on this vulnerability and ensure incident response plans include scenarios for DoS conditions affecting Siemens ET 200 modules. 8. Consider deploying redundant or failover systems where possible to maintain operational continuity during device outages.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- siemens
- Date Reserved
- 2025-04-16T09:06:15.879Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 696616cfa60475309f9ce613
Added to database: 1/13/2026, 9:56:31 AM
Last enriched: 1/13/2026, 10:11:08 AM
Last updated: 1/13/2026, 11:25:45 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2024-49775: CWE-122: Heap-based Buffer Overflow in Siemens Opcenter Execution Foundation
CriticalCVE-2025-40942: CWE-250: Execution with Unnecessary Privileges in Siemens TeleControl Server Basic
HighCVE-2025-40805: CWE-639: Authorization Bypass Through User-Controlled Key in Siemens Industrial Edge Cloud Device (IECD)
CriticalCVE-2025-41717: CWE-94 Improper Control of Generation of Code ('Code Injection') in Phoenix Contact TC ROUTER 3002T-3G
HighCVE-2025-14829: CWE-862 Missing Authorization in E-xact | Hosted Payment |
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.