CVE-2025-40944 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) found in multiple Siemens SIMATIC ET 200 series communication modules, including ET 200AL IM 157-1 PN, ET 200MP IM 155-5 PN HF, ET 200SP IM 155-6 variants, and SIPLUS versions. The root cause is improper handling of valid S7 protocol Disconnect Requests (COTP DR TPDU) received on TCP port 102, the standard port for Siemens S7 communication. When these devices receive such a disconnect request, they enter an improper session state that leads to resource exhaustion. This state causes the device to become unresponsive, effectively resulting in a denial-of-service condition. Recovery from this state requires a manual power cycle, which disrupts industrial processes relying on these devices. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The CVSS v3.1 score is 7.5 (high severity), reflecting the network attack vector, no privileges required, no user interaction, and a high impact on availability. The vulnerability affects all versions of some devices and specific version ranges of others, indicating a widespread exposure across Siemens’ industrial communication product line. No patches or exploits are currently publicly available, but the broad impact on critical ICS components makes this a significant concern for operational technology (OT) environments.

The primary impact of CVE-2025-40944 is a denial-of-service condition that disrupts the availability of Siemens SIMATIC ET 200 series modules, which are integral components in industrial automation and control systems. For European organizations, especially those in manufacturing, energy, utilities, and critical infrastructure sectors, this can lead to operational downtime, production losses, safety risks, and potential cascading failures in automated processes. Since these devices often operate in safety-critical environments, unplanned outages could also pose risks to personnel and equipment. The requirement for a manual power cycle to restore functionality means that automated recovery is not possible, increasing incident response complexity and downtime. The vulnerability’s ease of exploitation over the network without authentication elevates the risk of targeted attacks or opportunistic scanning by threat actors. Given Siemens’ strong market presence in Europe, the impact could be widespread, affecting both large industrial enterprises and smaller operators relying on these devices.

1. Monitor Siemens’ official channels for firmware updates addressing CVE-2025-40944 and apply patches promptly once available. 2. Implement strict network segmentation to isolate industrial control networks from corporate and external networks, limiting access to TCP port 102. 3. Deploy access control lists (ACLs) and firewall rules to restrict inbound traffic to only trusted management stations and authorized devices. 4. Use deep packet inspection (DPI) or protocol-aware intrusion detection/prevention systems (IDS/IPS) to detect and block anomalous or malformed S7 Disconnect Requests. 5. Conduct regular network traffic monitoring and anomaly detection focused on S7 protocol communications to identify potential exploitation attempts early. 6. Establish operational procedures for rapid response and manual power cycling of affected devices to minimize downtime. 7. Train OT security teams on this vulnerability and ensure incident response plans include scenarios for DoS conditions affecting Siemens ET 200 modules. 8. Consider deploying redundant or failover systems where possible to maintain operational continuity during device outages.