Full Report
BACnet ATEC devices are affected by a denial of service vulnerability that could be triggered by an attacker residing in the same BACnet network by sending a specially crafted MSTP message. A power cycle is required to restore the device’s normal operation. Siemens recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in BACnet ATEC Devices via MSTP Message
## CVE Details
- CVE ID: CVE-2025-40556
- CVSS Score: 6.5 (CVSS v3.1) / 7.1 (CVSS v4.0) (Medium/High)
- CWE: CWE-20: Improper Input Validation
## Affected Systems
- Products: BACnet ATEC, specifically models BACnet ATEC 550-440, 550-441, 550-445, and 550-446.
- Versions: All versions affected.
- Configurations: Devices must be on the same BACnet network as the attacker.
## Vulnerability Description
The vulnerability lies in how the affected BACnet ATEC devices improperly handle specific incoming BACnet Master-Slave Token Passing (MSTP) messages. An unauthenticated attacker on the local BACnet network can send a specially crafted MSTP message. Proper validation of this message is missing, leading the affected device to enter a Denial of Service (DoS) state. Restoring normal operation requires a physical power cycle of the device.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but a PoC is implied by the existence of the vulnerability research.
- Complexity: Low (CVSS vector AV:A/AC:L implies Adjacent Network access, Low Attack Complexity, No privileges required, No user interaction).
- Attack Vector: Network (Adjacent)
## Impact
- Confidentiality: No Impact (C:N)
- Integrity: No Impact (I:N)
- Availability: High Impact (A:H - requires power cycle for recovery)
## Remediation
### Patches
- Currently, no fix is planned for the affected products.
### Workarounds
- The general recommendation is to protect network access to the affected products with appropriate security mechanisms.
- Follow general security practices to run the devices in a protected IT environment.
- A power cycle is required to restore a DOS-affected device.
## Detection
- Indicators of compromise: Unexpected device downtime requiring manual power cycling, or an increase in malformed or unusual BACnet MSTP traffic directed at the affected devices.
- Detection methods and tools: Network monitoring tools capable of inspecting BACnet MSTP packets and flagging invalid or anomalous message structures destined for the ATEC units.
## References
- Vendor Advisory: SSA-828116
- Siemens Security Advisories Portal: hXXps://w w w .siemens.com/cert/advisories
- Terms of Use: hXXps://w w w .siemens.com/productcert/terms-of-use