Full Report
APOGEE PXC and TALON TC Series (BACnet) Devices devices start sending unsolicited BACnet broadcast messages after processing a specific BACnet createObject request. This could allow an attacker residing in the same BACnet network to send a specially crafted message that results in a partial denial of service condition of the targeted device, and potentially reduce the availability of BACnet network. A power cycle is required to restore the device’s normal operation. Siemens recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Partial Denial of Service in Siemens APOGEE PXC and TALON TC Series
## CVE Details
- **CVE ID:** CVE-2025-40555
- **CVSS Score:** 4.7 (Medium) - CVSS v3.1 / 5.3 (Medium) - CVSS v4.0
- **CWE:** CWE-440: Expected Behavior Violation
## Affected Systems
- **Products:**
- APOGEE PXC Series (BACnet variants)
- TALON TC Series (BACnet variants)
- **Versions:** All versions
- **Configurations:** Devices must be connected to a BACnet network.
## Vulnerability Description
Affected devices fail to properly handle specific **BACnet createObject** requests. When a specially crafted request is processed, the device enters an abnormal state where it begins continuously sending unsolicited BACnet broadcast messages. This behavior results in a partial Denial of Service (DoS) of the targeted controller and can significantly degrade the bandwidth and availability of the entire BACnet network segment due to the broadcast traffic volume.
## Exploitation
- **Status:** No reports of exploitation in the wild; no public PoC currently listed in the advisory.
- **Complexity:** Low
- **Attack Vector:** Adjacent (Attacker must reside on the same BACnet network).
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** Low/Partial (Device functionality is impaired and network availability is reduced; a physical power cycle is required to recover).
## Remediation
### Patches
- **No fix planned:** Siemens has indicated that there are currently no plans to release firmware patches for these legacy/affected devices.
### Workarounds
- **Network Segmentation:** Ensure the BACnet network is isolated from the general IT network and unauthorized access.
- **Access Control:** Protect network access to the affected products with appropriate firewalls or security gateways.
- **Physical Recovery:** If the vulnerability is triggered, a **manual power cycle** of the device is required to restore normal operation.
## Detection
- **Indicators of Compromise:**
- Sudden, unexpected flood of BACnet broadcast messages emanating from a specific APOGEE or TALON controller.
- Controller unresponsiveness to standard commands.
- **Detection methods and tools:**
- Use network monitoring tools (e.g., Wireshark or IDS with BACnet plugins) to identify an unusual increase in `createObject` requests or subsequent broadcast storms.
## References
- **Vendor Advisory:** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-718393[.]pdf
- **Siemens ProductCERT:** hxxps[://]www[.]siemens[.]com/cert/advisories