Cyber Resilience

CVE-2025-40944

HighDDoSUpdated

Published: 13 January 2026

Published
13 January 2026
Modified
09 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-40944 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-40944 is a denial-of-service vulnerability affecting multiple Siemens SIMATIC ET 200 series interface modules and couplers, including models such as SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0, all versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0, all versions >= V4.2.0), various SIMATIC ET 200SP IM 155-6 models with specified version ranges, SIMATIC PN/MF and PN/PN Couplers, and corresponding SIPLUS variants. The issue stems from the affected devices failing to properly handle S7 protocol session disconnect requests, specifically a valid COTP DR TPDU received on TCP port 102, which causes the device to enter an improper session state.

Any unauthenticated attacker with network access to the device can exploit this vulnerability by sending a single valid S7 Disconnect Request, triggering a denial-of-service condition that renders the device unresponsive. Recovery requires a power cycle, as scored by CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-400 (Uncontrolled Resource Consumption).

Siemens has published security advisory SSA-674753 at https://cert-portal.siemens.com/productcert/html/ssa-674753.html, which provides details on the vulnerability and recommended mitigations for the affected products.

EU & UK References

Vulnerability details

A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SIMATIC ET 200SP…

more

IM 155-6 PN HA (incl. SIPLUS variants) (All versions < V1.3), SIMATIC ET 200SP IM 155-6 PN R1 (6ES7155-6AU00-0HM0) (All versions < V6.0.1), SIMATIC ET 200SP IM 155-6 PN/2 HF (6ES7155-6AU01-0CN0) (All versions >= V4.2.0 < V4.2.5), SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0) (All versions < V4.2.2), SIMATIC PN/MF Coupler (6ES7158-3MU10-0XA0) (All versions), SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0) (All versions < V6.0.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-2AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-7AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL (6AG2155-5AA00-1AC0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-2CN0) (All versions >= V4.2.0 < V4.2.5), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-7CN0) (All versions >= V4.2.0 < V4.2.5), SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU01-1CN0) (All versions >= V4.2.0 < V4.2.5), SIPLUS ET 200SP IM 155-6 PN HF TX RAIL (6AG2155-6AU01-4CN0) (All versions >= V4.2.0 < V4.2.5), SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0) (All versions < V6.0.0). Affected devices do not properly handle S7 protocol session disconnect requests. When receiving a valid S7 protocol Disconnect Request (COTP DR TPDU) on TCP port 102, the devices enter an improper session state. This could allow an attacker to cause the device to become unresponsive, leading to a denial-of-service condition that requires a power cycle to restore normal operation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct network-exploitable DoS via single-packet S7/COTP abuse on public-facing industrial protocol port, matching application exploitation for endpoint availability impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25667Shared CWE-400
CVE-2025-70886Shared CWE-400
CVE-2025-9282Shared CWE-400
CVE-2026-46829Shared CWE-400
CVE-2025-56424Shared CWE-400
CVE-2025-27669Shared CWE-400
CVE-2025-65518Shared CWE-400
CVE-2026-23824Shared CWE-400
CVE-2026-39304Shared CWE-400
CVE-2026-30350Shared CWE-400

Affected Assets

All
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely application of vendor patches from Siemens advisory SSA-674753 directly remediates the improper handling of S7 protocol disconnect requests causing DoS.

prevent

Denial-of-service protections such as rate limiting or filtering of COTP DR TPDU on TCP port 102 prevent exploitation leading to device unresponsiveness.

prevent

Boundary protections like firewalls block unauthorized network access to affected SIMATIC devices, mitigating unauthenticated remote DoS attacks on TCP port 102.

References