CVE-2025-40944
Deferred Deferred - Pending Action
Improper Session Handling in SIMATIC ET 200 Causes DoS

Publication date: 2026-01-13

Last updated on: 2026-06-09

Assigner: Siemens AG

Description
A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants) (All versions < V1.3), SIMATIC ET 200SP IM 155-6 PN R1 (6ES7155-6AU00-0HM0) (All versions < V6.0.1), SIMATIC ET 200SP IM 155-6 PN/2 HF (6ES7155-6AU01-0CN0) (All versions >= V4.2.0 < V4.2.5), SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0) (All versions < V4.2.2), SIMATIC PN/MF Coupler (6ES7158-3MU10-0XA0) (All versions), SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0) (All versions < V6.0.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-2AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-7AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL (6AG2155-5AA00-1AC0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-2CN0) (All versions >= V4.2.0 < V4.2.5), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-7CN0) (All versions >= V4.2.0 < V4.2.5), SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU01-1CN0) (All versions >= V4.2.0 < V4.2.5), SIPLUS ET 200SP IM 155-6 PN HF TX RAIL (6AG2155-6AU01-4CN0) (All versions >= V4.2.0 < V4.2.5), SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0) (All versions < V6.0.0). Affected devices do not properly handle S7 protocol session disconnect requests. When receiving a valid S7 protocol Disconnect Request (COTP DR TPDU) on TCP port 102, the devices enter an improper session state. This could allow an attacker to cause the device to become unresponsive, leading to a denial-of-service condition that requires a power cycle to restore normal operation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-06-09
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-40944
EUVD
EUVD-2026-2359
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
siemens simatice_t_200al_im_157-1_pn 6es7157-1ab00-0ab0
siemens simatice_t_200mp_im_155-5_pn_hf From 4.2.0 (inc)
siemens simatice_t_200sp_im_155-6_mf_hf 6es7155-6mu00-0cn0
siemens simatice_t_200sp_im_155-6_pn_ha to 1.3 (exc)
siemens simatice_t_200sp_im_155-6_pn_r1 to 6.0.1 (exc)
siemens simatice_t_200sp_im_155-6_pn_3_hf to 4.2.2 (exc)
siemens simatice_tn_mf_coupler 6es7158-3mu10-0xa0
siemens simatice_tn_pn_coupler to 6.0.0 (exc)
siemens siplus_et_200mp_im_155-5_pn_hf From 4.2.0 (inc)
siemens siplus_et_200mp_im_155-5_pn_hf_t1_rail From 4.2.0 (inc)
siemens siplus_et_200sp_im_155-6_pn_hf From 4.2.0 (inc)
siemens siplus_et_200sp_im_155-6_pn_hf_t1_rail From 4.2.0 (inc)
siemens siplus_et_200sp_im_155-6_pn_hf_tx_rail From 4.2.0 (inc)
siemens siplus_net_pn_pn_coupler to 6.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects various Siemens SIMATIC ET 200 series interface modules and couplers. It occurs because the affected devices do not properly handle valid S7 protocol Disconnect Requests (COTP DR TPDU) received on TCP port 102. When such a disconnect request is received, the devices enter an improper session state, causing them to become unresponsive. Recovery requires a power cycle to restore normal operation. [1]

Impact Analysis

An attacker can exploit this vulnerability to cause a denial-of-service (DoS) condition by sending valid S7 protocol Disconnect Requests to the affected devices. This makes the devices unresponsive and disrupts their normal operation until they are power cycled. This can lead to downtime and interruption of industrial network communications, potentially impacting operational continuity. [1]

Detection Guidance

This vulnerability can be detected by monitoring network traffic for valid S7 protocol Disconnect Requests (COTP DR TPDU) on TCP port 102 sent to affected Siemens devices. Network administrators can use packet capture tools such as Wireshark or tcpdump to filter and analyze traffic on TCP port 102 for these disconnect requests. For example, a tcpdump command to capture such traffic could be: tcpdump -i <interface> tcp port 102 and tcp[13] & 0x03 == 0x01 (to filter COTP Disconnect Requests). Additionally, checking device responsiveness and logs for unexpected session disconnects or unresponsiveness may help identify exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include restricting network access to the affected devices by filtering TCP port 102 to allow only trusted IP addresses, typically using external firewalls. For devices with available firmware updates, apply the recommended updates to versions that fix the vulnerability (e.g., update SIMATIC ET 200SP IM 155-6 PN HA to V1.3 or later, IM 155-6 PN R1 to V6.0.1 or later, IM 155-6 PN/3 HF to V4.2.2 or later, and PN/PN Coupler to V6.0.0 or later). For devices without available fixes, rely on network segmentation and access control to prevent unauthorized access to the S7 communication port. Additionally, follow Siemens' Industrial Security operational guidelines to protect device network access. [1]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-40944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart