PatchSiren cyber security CVE debrief
CVE-2025-24510 Siemens CVE debrief
CVE-2025-24510 affects Siemens MS/TP Point Pickup Module devices that improperly handle specific incoming BACnet MSTP messages. An attacker already on the same BACnet network could send a specially crafted message that causes a denial of service, and the device must be power cycled to return to normal operation. Siemens and CISA published the advisory on 2025-05-13, and the advisory states that no fix is currently planned.
- Vendor
- Siemens
- Product
- MS/TP Point Pickup Module
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-13
- Original CVE updated
- 2025-05-13
- Advisory published
- 2025-05-13
- Advisory updated
- 2025-05-13
Who should care
OT and building automation operators, Siemens customers, and ICS administrators running MS/TP Point Pickup Module devices on BACnet MSTP networks should pay attention, especially where network access is broad or insufficiently segmented.
Technical summary
The advisory describes a network-reachable availability issue in Siemens MS/TP Point Pickup Module devices. The CVSS vector is AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating no privileges or user interaction are needed, but the attacker must already be on the same BACnet network. A specially crafted BACnet MSTP message can trigger a denial of service that persists until the device is power cycled. The remediation section states that no fix is currently planned.
Defensive priority
Medium overall, with higher priority in exposed or weakly segmented building automation environments because the impact is a device-level outage and recovery requires a power cycle.
Recommended defensive actions
- Inventory Siemens MS/TP Point Pickup Module deployments and confirm where the affected devices are connected.
- Restrict BACnet network access to trusted OT hosts and segment MS/TP traffic from general-purpose IT networks.
- Apply ACLs, filtering, or other compensating controls to limit who can send BACnet MSTP traffic to the device.
- Monitor for unexpected BACnet MSTP traffic, repeated device faults, or unexplained service interruptions.
- Prepare operational recovery procedures for safe power cycling, since that is required to restore normal operation.
- Track Siemens and CISA advisories for any future update or mitigation guidance, noting that the advisory currently lists no fix planned.
Evidence notes
The primary evidence is the CISA CSAF advisory ICSA-25-135-16 and Siemens advisory references, all published on 2025-05-13. The source description states that affected devices improperly handle specific incoming BACnet MSTP messages, that an attacker must already be on the same BACnet network, that the result is denial of service, and that a power cycle is required to restore operation. The remediation entry says 'Currently no fix is planned.'
Official resources
-
CVE-2025-24510 CVE record
CVE.org
-
CVE-2025-24510 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-05-13 in CISA ICS Advisory ICSA-25-135-16 and Siemens advisory SSA-668154.