CVE-2025-40944
Published: 13 January 2026
Summary
CVE-2025-40944 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2025-40944 is a denial-of-service vulnerability affecting multiple Siemens SIMATIC ET 200 series interface modules and couplers, including models such as SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0, all versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0, all versions >= V4.2.0), various SIMATIC ET 200SP IM 155-6 models with specified version ranges, SIMATIC PN/MF and PN/PN Couplers, and corresponding SIPLUS variants. The issue stems from the affected devices failing to properly handle S7 protocol session disconnect requests, specifically a valid COTP DR TPDU received on TCP port 102, which causes the device to enter an improper session state.
Any unauthenticated attacker with network access to the device can exploit this vulnerability by sending a single valid S7 Disconnect Request, triggering a denial-of-service condition that renders the device unresponsive. Recovery requires a power cycle, as scored by CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-400 (Uncontrolled Resource Consumption).
Siemens has published security advisory SSA-674753 at https://cert-portal.siemens.com/productcert/html/ssa-674753.html, which provides details on the vulnerability and recommended mitigations for the affected products.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2359
Vulnerability details
A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SIMATIC ET 200SP…
more
IM 155-6 PN HA (incl. SIPLUS variants) (All versions < V1.3), SIMATIC ET 200SP IM 155-6 PN R1 (6ES7155-6AU00-0HM0) (All versions < V6.0.1), SIMATIC ET 200SP IM 155-6 PN/2 HF (6ES7155-6AU01-0CN0) (All versions >= V4.2.0 < V4.2.5), SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0) (All versions < V4.2.2), SIMATIC PN/MF Coupler (6ES7158-3MU10-0XA0) (All versions), SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0) (All versions < V6.0.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-2AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-7AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL (6AG2155-5AA00-1AC0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-2CN0) (All versions >= V4.2.0 < V4.2.5), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-7CN0) (All versions >= V4.2.0 < V4.2.5), SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU01-1CN0) (All versions >= V4.2.0 < V4.2.5), SIPLUS ET 200SP IM 155-6 PN HF TX RAIL (6AG2155-6AU01-4CN0) (All versions >= V4.2.0 < V4.2.5), SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0) (All versions < V6.0.0). Affected devices do not properly handle S7 protocol session disconnect requests. When receiving a valid S7 protocol Disconnect Request (COTP DR TPDU) on TCP port 102, the devices enter an improper session state. This could allow an attacker to cause the device to become unresponsive, leading to a denial-of-service condition that requires a power cycle to restore normal operation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct network-exploitable DoS via single-packet S7/COTP abuse on public-facing industrial protocol port, matching application exploitation for endpoint availability impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely application of vendor patches from Siemens advisory SSA-674753 directly remediates the improper handling of S7 protocol disconnect requests causing DoS.
Denial-of-service protections such as rate limiting or filtering of COTP DR TPDU on TCP port 102 prevent exploitation leading to device unresponsiveness.
Boundary protections like firewalls block unauthorized network access to affected SIMATIC devices, mitigating unauthenticated remote DoS attacks on TCP port 102.