Siemens SIMATIC Products Hit by Critical DoS Vulnerability (CVE-2025-40944)

Siemens has disclosed a **high-severity denial-of-service (DoS) vulnerability (CVE-2025-40944)** affecting multiple SIMATIC and SIPLUS products. Attackers can exploit this flaw by sending a crafted **S7 protocol Disconnect Request**, causing devices to become unresponsive and require a **power cycle to restore functionality**. Patches are available for some products, while mitigations are recommended for others.

---
title: "Siemens SIMATIC Products Hit by Critical DoS Vulnerability (CVE-2025-40944)"
short_title: "Siemens SIMATIC DoS vulnerability patched"
description: "Siemens releases urgent fixes for a high-severity denial-of-service vulnerability (CVE-2025-40944) in SIMATIC and SIPLUS products. Learn mitigation steps now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [siemens, dos, cve-2025-40944, industrial-security, ot-security]
score: 0.78
cve_ids: [CVE-2025-40944]
---

TL;DR


Siemens has disclosed a high-severity denial-of-service (DoS) vulnerability (CVE-2025-40944) affecting multiple SIMATIC and SIPLUS products. Attackers can exploit this flaw by sending a crafted S7 protocol Disconnect Request, causing devices to become unresponsive and require a power cycle to restore functionality. Patches are available for some products, while mitigations are recommended for others.

---

Main Content

Introduction


Siemens has issued an urgent security advisory addressing a critical denial-of-service (DoS) vulnerability in its SIMATIC and SIPLUS product lines. Tracked as CVE-2025-40944, the flaw allows attackers to disrupt industrial operations by sending a malicious S7 protocol Disconnect Request to affected devices. This vulnerability poses a significant risk to critical manufacturing sectors worldwide, particularly in environments relying on Operational Technology (OT) systems.

---

Key Points


- Vulnerability Impact: Exploitation of CVE-2025-40944 can render affected Siemens devices unresponsive, requiring a manual power cycle to restore normal operation.
- Affected Products: The vulnerability impacts 16 SIMATIC and SIPLUS products, including ET 200SP, ET 200MP, PN/MF Coupler, and PN/PN Coupler devices.
- CVSS Score: The flaw has a CVSS v3.1 base score of 7.5 (High), indicating its potential for widespread disruption in industrial environments.
- Mitigation and Patches: Siemens has released updates for several products and recommends network segmentation and firewall rules as interim mitigations for unpatched systems.

---

Technical Details


#### Vulnerability Overview
CVE-2025-40944 stems from an improper handling of S7 protocol session disconnect requests in affected Siemens devices. When a valid Disconnect Request (COTP DR TPDU) is sent to TCP port 102, the device enters an improper session state, leading to a DoS condition. This flaw is classified under CWE-400 (Uncontrolled Resource Consumption) and can be exploited remotely without authentication.

#### Exploitation Mechanism
1. Attack Vector: An attacker sends a crafted S7 protocol Disconnect Request to the target device via TCP port 102.
2. Impact: The device becomes unresponsive, disrupting industrial processes and requiring a manual power cycle to recover.
3. Severity: The vulnerability is rated High (CVSS 7.5) due to its potential to cause operational downtime in critical infrastructure.

---

Impact Assessment


#### Affected Sectors
- Critical Manufacturing: Siemens SIMATIC and SIPLUS products are widely used in automotive, food and beverage, and chemical industries.
- Global Reach: The vulnerability affects deployments worldwide, with Siemens headquartered in Germany.

#### Potential Consequences
- Operational Downtime: Exploitation can lead to unplanned outages, halting production lines and causing financial losses.
- Safety Risks: In industrial environments, DoS attacks can disrupt safety systems, potentially leading to hazardous conditions.
- Supply Chain Disruptions: Prolonged downtime can ripple through global supply chains, affecting dependent industries.

---

Mitigation Steps


Siemens has provided patches for several affected products and recommends the following mitigation strategies for unpatched systems:

#### Available Patches
| Product | Recommended Action |
|--------------------------------------------------|--------------------------------------------|
| SIMATIC ET 200SP IM 155-6 PN HA | Update to V1.3 |
| SIMATIC ET 200SP IM 155-6 PN/3 HF | Update to V4.2.2 |
| SIMATIC PN/PN Coupler | Update to V6.0.0 |
| SIMATIC ET 200SP IM 155-6 PN R1 | Update to V6.0.1 |

#### Workarounds and Mitigations
- Network Segmentation: Restrict access to TCP port 102 using firewalls and allow connections only from trusted IP addresses.
- Access Control: Limit network access to S7 communication messages to authorized personnel and devices.
- Monitoring: Deploy intrusion detection systems (IDS) to monitor for suspicious S7 protocol traffic.

#### Products Without Fixes
For the following products, no patches are currently planned. Siemens recommends implementing network-level mitigations:
- SIMATIC ET 200AL IM 157-1 PN
- SIMATIC ET 200MP IM 155-5 PN HF
- SIMATIC ET 200SP IM 155-6 MF HF
- SIMATIC PN/MF Coupler
- SIPLUS variants of the above products

---

Affected Systems


The following Siemens SIMATIC and SIPLUS products are confirmed to be vulnerable to CVE-2025-40944:

- SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0)
- SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0)
- SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0)
- SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants)
- SIMATIC ET 200SP IM 155-6 PN R1 (6ES7155-6AU00-0HM0)
- SIMATIC ET 200SP IM 155-6 PN/2 HF (6ES7155-6AU01-0CN0)
- SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0)
- SIMATIC PN/MF Coupler (6ES7158-3MU10-0XA0)
- SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0)
- SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-2AC0, 6AG1155-5AA00-7AC0, 6AG2155-5AA00-1AC0)
- SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-2CN0, 6AG1155-6AU01-7CN0, 6AG2155-6AU01-1CN0, 6AG2155-6AU01-4CN0)
- SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0)

---

Conclusion


The CVE-2025-40944 vulnerability in Siemens SIMATIC and SIPLUS products highlights the critical importance of securing industrial control systems (ICS) against DoS attacks. While Siemens has released patches for several affected devices, organizations must implement network-level mitigations for unpatched systems to minimize operational risks.

Industrial operators are urged to:
1. Apply patches immediately for supported products.
2. Isolate affected devices from untrusted networks.
3. Monitor network traffic for suspicious activity.
4. Follow Siemens’ operational guidelines for industrial security.

For further updates, visit the [Siemens ProductCERT advisories page](https://www.siemens.com/cert/advisories).

---

References


[^1]: Siemens ProductCERT. "[SSA-674753: Denial-of-Service Vulnerability in SIMATIC and SIPLUS Products](https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-04)". Retrieved 2025-01-24.
[^2]: CISA. "[ICS Advisory (ICSA-26-015-04)](https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-04)". Retrieved 2025-01-24.
[^3]: MITRE. "[CWE-400: Uncontrolled Resource Consumption](https://cwe.mitre.org/data/definitions/400.html)". Retrieved 2025-01-24.

Related CVEs