PatchSiren cyber security CVE debrief

CVE-2016-7987 Siemens CVE debrief

CVE-2016-7987 is a network-reachable denial-of-service issue affecting Siemens ETA4 firmware prior to Revision 08 on the SM-2558 extension module used with SICAM AK, SICAM TM 1703, SICAM BC 1703, and SICAM AK 3. According to the supplied record, specially crafted packets sent to TCP port 2404 can cause the device to enter defect mode, and recovery may require a cold start. NVD rates the issue as CVSS 7.5 (HIGH) with no privileges or user interaction required and availability impact only.

Vendor: Siemens
Product: CVE-2016-7987
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-13
Original CVE updated: 2026-05-13
Advisory published: 2017-02-13
Advisory updated: 2026-05-13

Who should care

OT/ICS operators, plant engineers, and defenders responsible for Siemens SICAM deployments using SM-2558 extension modules and ETA4 firmware prior to Revision 08, especially where TCP/2404 is reachable within the control network.

Technical summary

The supplied NVD record describes a denial-of-service condition in Siemens ETA4 firmware that can be triggered over the network by specially crafted packets to TCP port 2404. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects a remotely triggerable availability-only impact. The narrative description names SICAM AK, SICAM TM 1703, SICAM BC 1703, and SICAM AK 3, while the NVD CPE metadata also includes firmware criteria entries that should be validated against the vendor advisory and local asset inventory before remediation planning.

Defensive priority

High

Recommended defensive actions

Inventory Siemens SICAM assets that use the SM-2558 extension module and confirm ETA4 firmware versions.
Verify whether any deployed systems are prior to Revision 08 and prioritize those hosts for mitigation.
Restrict and monitor access to TCP port 2404, especially across trust boundaries and remote-access paths.
Use OT network segmentation and allowlisting to limit which management or engineering systems can reach the affected service.
Coordinate with Siemens guidance and the referenced ICS-CERT advisory for patching or upgrade planning.
Prepare recovery procedures for potential defect-mode events, including maintenance-window planning for cold-start restoration.
Monitor for unusual or malformed traffic targeting TCP/2404 and investigate repeated availability disruptions.

Evidence notes

All substantive claims are taken from the supplied official vulnerability record metadata and references: the CVE description states that specially crafted packets to TCP/2404 can force defect mode and may require a cold start; the NVD metadata provides the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and CWE-19; the published date used here is the CVE publishedAt timestamp of 2017-02-13T21:59:00.563Z. The source corpus also includes references to the CVE record, the NVD detail page, and the ICS-CERT advisory ICSA-16-299-01.

Official resources

CVE-2016-7987 CVE record
CVE.org
CVE-2016-7987 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Mitigation, Third Party Advisory, US Government Resource

Publicly disclosed in the CVE record on 2017-02-13 and referenced by the ICS-CERT advisory ICSA-16-299-01.