Full Report
Multiple industrial devices contain a vulnerability that could allow an attacker to cause a denial of service condition. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in Siemens Industrial Devices via Null Pointer Dereference
## CVE Details
- **CVE ID:** CVE-2025-40833
- **CVSS Score:**
- CVSS v3.1: 7.5 (High)
- CVSS v4.0: 8.7 (High)
- **CWE:** CWE-476 (NULL Pointer Dereference)
## Affected Systems
- **Products:**
- IE/PB LINK HA and IE/PB Link PN IO (including SIPLUS NET variants)
- SCALANCE M-800 family (M804PB, M812-1, M816-1)
- RUGGEDCOM RM1224 family
- Other mentioned series (impacted via shared communication stacks): SIMATIC S7-400, SIMIT Unit, SINUMERIK CNC, SITOP PSU8600/UPS1600, SINAMICS, and SIMATIC ET 200SP HA.
- **Versions:**
- RUGGEDCOM and SCALANCE M-800: All versions prior to V8.3.
- IE/PB LINK variants: All versions (no fix planned).
- **Configurations:** Devices processing IPv4 traffic.
## Vulnerability Description
The affected industrial devices contain a **Null Pointer Dereference** vulnerability within their network stack. The flaw is triggered when the device processes specifically crafted IPv4 requests. Because the system fails to validate the pointer before dereferencing it, the application or operating system crashes.
## Exploitation
- **Status:** No reports of exploitation in the wild or public PoC provided in the advisory.
- **Complexity:** Low (Simple crafted packet).
- **Attack Vector:** Network (Remote exploitation).
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (The device enters a Denial of Service condition and remains unavailable until a **manual restart** is performed).
## Remediation
### Patches
Siemens has released updates for several product lines and recommends upgrading to the latest versions:
- **SCALANCE M-800 & RUGGEDCOM RM1224:** Update to **V8.3** or later.
### Workarounds
For products where no fix is available (e.g., IE/PB LINK HA):
- **Network Segmentation:** Minimize network exposure for affected devices.
- **Firewalling:** Restrict access to the devices to trusted nodes only.
- **In-Depth Defense:** Use a "Defense-in-Depth" architecture to protect industrial networks from untrusted traffic.
## Detection
- **Indicators of Compromise:** Sudden, unexplained loss of connectivity or device freezing requiring a physical power cycle/manual restart.
- **Detection methods:** Monitor network traffic for unusual or malformed IPv4 packets directed at industrial controllers and gateway devices using Intrusion Detection Systems (IDS).
## References
- **Siemens Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-392349.html
- **Support Links:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109989310/
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories