Full Report
Siemens ET 200 devices contain a denial-of-service vulnerability that could be triggered by sending a valid S7 protocol Disconnect Request (COTP DR TPDU), causing the device to become unresponsive and require a power cycle to recover. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial-of-Service in Siemens ET 200 Devices
## CVE Details
- **CVE ID:** CVE-2025-40944
- **CVSS Score:** 7.5 (High) [v3.1] / 8.7 (High) [v4.0]
- **CWE:** CWE-400: Uncontrolled Resource Consumption
## Affected Systems
- **Products:**
- SIMATIC ET 200AL IM 157-1 PN
- SIMATIC ET 200MP IM 155-5 PN HF (including SIPLUS variants)
- SIMATIC ET 200SP IM 155-6 MF HF
- SIMATIC ET 200SP IM 155-6 PN HA (including SIPLUS variants)
- **Versions:**
- ET 200AL: All versions.
- ET 200MP: All versions >= V4.2.0.
- ET 200SP MF HF: All versions.
- ET 200SP PN HA: All versions = V4.2.0.
- **Configurations:** Devices listening for S7 protocol communications on TCP port 102.
## Vulnerability Description
Affected devices do not properly handle S7 protocol session disconnect requests. Specifically, when the device receives a valid S7 protocol Disconnect Request (**COTP DR TPDU**) on TCP port 102, the device enters an improper session state. This flaw causes the device to become completely unresponsive.
## Exploitation
- **Status:** PoC status not explicitly stated; coordinated disclosure via Aitor Ruiz Larrea (Mytra Control).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Total denial of service; requires a physical power cycle/hard reboot to recover).
## Remediation
### Patches
Siemens has released new versions for several affected products. Users are advised to check the Siemens ProductCERT portal for specific firmware update downloads corresponding to their hardware MLFB (order number).
*Note: For several listed versions (e.g., ET 200AL, specific ET 200MP variants), Siemens currently states "no fix is planned" and directs users to mitigations.*
### Workarounds
- **Network Segmentation:** Minimize network exposure for all control system devices and ensure they are not accessible from the Internet.
- **Firewalling:** Locate control system networks and remote devices behind firewalls and isolate them from the business network.
- **Access Control:** Use VPNs or secure tunnels if remote access to TCP port 102 is required.
## Detection
- **Indicators of Compromise:** Device suddenly stops responding to all network traffic and control commands; recovery is only possible via power cycle.
- **Detection methods and tools:** Monitoring for an unusual frequency of COTP Disconnect Requests (DR TPDU) targeting TCP port 102 from unauthorized or unexpected source IPs.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-674753[.]html
- **Siemens Operational Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **Industrial Security Home:** hxxps://www[.]siemens[.]com/industrialsecurity