Full Report
Multiple Industrial products are affected by a vulnerability in the Interniche IP-Stack. The affected products do not properly enforce TCP sequence number validation in specific scenarios but accept values within a broad range. This could allow an unauthenticated remote attacker e.g. to interfere with connection setup, potentially leading to a denial of service. The attack succeeds only if an attacker can inject IP packets with spoofed addresses at precisely timed moments, and it affects only TCP-based services. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in Interniche IP-Stack (Siemens Industrial Devices)
## CVE Details
- **CVE ID:** CVE-2025-40820
- **CVSS Score:**
- **v3.1:** 7.5 (High)
- **v4.0:** 8.7 (High)
- **CWE:** CWE-940 (Improper Verification of Source of a Communication Channel)
## Affected Systems
- **Products:** Various Siemens Industrial product lines including:
- SIDOOR (ATD430W, ATE530G, ATE530S)
- SIMATIC CFU DIQ
- SIMATIC ET 200eco PN (Multiple I/O modules including DI, DQ, DIQ, and IO-Link)
- SIPLUS extreme variants (based on the above hardware)
- SIMATIC HCS 4x00 heating control systems
- SIWAREX weighing electronics
- **Versions:**
- SIMATIC CFU DIQ: All versions < V1.2.0 (Note: V5.1.1 is specifically listed as affected)
- SIMATIC ET 200eco PN: All versions >= V5.1.1
- SIDOOR: All versions
- **Configurations:** The vulnerability specifically affects **TCP-based services** running on the Interniche IP-Stack.
## Vulnerability Description
The Interniche IP-Stack implementation in affected Siemens products fails to strictly enforce TCP sequence number validation. Instead of requiring exact sequence matches, the stack accepts values within an overly broad range. This flaw allows an attacker to inject spoofed IP packets that the stack perceives as valid.
## Exploitation
- **Status:** Not reported as exploited in the wild; discovered by researchers.
- **Complexity:** Low (Technically); however, the attack requires precise timing to inject packets during specific connection states.
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Denial of Service via interference with connection setups).
## Remediation
### Patches
Siemens is in the process of releasing updates. Current status:
- **SIMATIC CFU DIQ:** Update to V1.2.0 or later (where available).
- **Other Products:** For many ET 200eco and SIDOOR variants, no fix is currently planned, and users must rely on mitigations.
### Workarounds
- **Network Segmentation:** Minimize network exposure for all control system devices and systems.
- **Firewalling:** Ensure that devices are not accessible from the Internet.
- **Trusted Communication:** Use VPNs or secure "User Zones" to protect communication between trusted entities.
- **Spoofing Protection:** Implement anti-spoofing mechanisms (e.g., Unicast Reverse Path Forwarding - uRPF) at the network perimeter to prevent the injection of packets with spoofed source addresses.
## Detection
- **Indicators of Compromise:** Unusual TCP connection resets or failures to establish connections with industrial controllers.
- **Detection methods:** Network Intrusion Detection Systems (NIDS) can be configured to monitor for unusual TCP sequence number patterns or a high volume of spoofed IP traffic originating from outside the local segment.
## References
- Siemens Security Advisory: [https://cert-portal.siemens.com/productcert/pdf/ssa-915282.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-915282.pdf)
- Siemens ProductCERT: [https://www.siemens.com/cert/advisories](https://www.siemens.com/cert/advisories)