PatchSiren cyber security CVE debrief
CVE-2025-40555 Siemens CVE debrief
CVE-2025-40555 is a medium-severity issue in Siemens APOGEE PXC+TALON TC Series (BACnet) devices where a specific BACnet createObject request can cause affected devices to start sending unsolicited BACnet broadcast messages. In a same-network BACnet environment, that behavior can reduce network availability and create a partial denial-of-service condition on the targeted device. Siemens/CISA note that a power cycle is required to restore normal operation, and the advisory states that no fix is currently planned.
- Vendor
- Siemens
- Product
- APOGEE PXC+TALON TC Series (BACnet)
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-13
- Original CVE updated
- 2025-05-13
- Advisory published
- 2025-05-13
- Advisory updated
- 2025-05-13
Who should care
OT/ICS defenders, building automation operators, Siemens APOGEE and TALON TC administrators, and teams responsible for BACnet network segmentation, monitoring, and incident response.
Technical summary
The advisory describes an attacker on the same BACnet network sending a specially crafted BACnet createObject request that triggers continuous unsolicited BACnet broadcast behavior on affected devices. The published CVSS vector is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L, which aligns with a network-adjacent attack path, no required privileges, no user interaction, and limited availability impact. The primary effect is partial denial of service and reduced BACnet network availability; the issue does not indicate confidentiality or integrity impact in the vector. A power cycle is required to return the device to normal operation.
Defensive priority
Medium. This is not a known emergency exposure like a KEV-listed vulnerability, but it is operationally meaningful for BACnet environments because recovery requires a power cycle and availability of building-control networks can be affected.
Recommended defensive actions
- Identify whether APOGEE PXC+TALON TC Series (BACnet) devices are present in your environment and prioritize them for review.
- Restrict BACnet access to authorized hosts and network segments, especially between building automation zones.
- Monitor for unusual or unsolicited BACnet broadcast traffic and investigate any device that begins emitting unexpected broadcasts.
- Prepare incident response and recovery procedures that account for the need to power-cycle affected devices.
- Review Siemens and CISA advisory materials and apply any vendor guidance if it is updated in the future.
Evidence notes
All substantive statements in this debrief are drawn from the supplied CISA CSAF source item for ICSA-25-135-14 and its referenced Siemens/CISA advisory links. The source states the affected product, attack precondition (same BACnet network), impact (partial denial of service and reduced BACnet availability), recovery requirement (power cycle), CVSS vector, publication date, and that no fix is currently planned.
Official resources
-
CVE-2025-40555 CVE record
CVE.org
-
CVE-2025-40555 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published by CISA and Siemens on 2025-05-13. The supplied source material does not indicate a CISA Known Exploited Vulnerabilities listing, and the advisory states that no fix is currently planned.