PatchSiren cyber security CVE debrief
CVE-2025-40556 Siemens CVE debrief
CVE-2025-40556 affects Siemens BACnet ATEC 550-440, 550-441, 550-445, and 550-446 devices. According to the CISA CSAF advisory and Siemens security advisory, a specially crafted BACnet MSTP message from an attacker on the same BACnet network can trigger a denial of service condition that requires a power cycle to restore normal operation.
- Vendor
- Siemens
- Product
- BACnet ATEC 550-440
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-13
- Original CVE updated
- 2025-05-13
- Advisory published
- 2025-05-13
- Advisory updated
- 2025-05-13
Who should care
OT/ICS operators, facilities teams, and network engineers responsible for Siemens BACnet ATEC deployments or shared BACnet MSTP segments should review this issue, especially where device availability is operationally critical.
Technical summary
The affected devices improperly handle specific incoming BACnet MSTP messages. The impact is limited to availability: an attacker residing on the same BACnet network can send a crafted MSTP message that causes the targeted device to stop operating normally until it is power cycled. The advisory lists BACnet ATEC 550-440, 550-441, 550-445, and 550-446, and notes that no fix is currently planned.
Defensive priority
Medium. The CVSS score is 6.5 with high availability impact, and the issue can disrupt OT operations until manual recovery. Prioritize mitigation if these devices are deployed on shared or weakly segmented BACnet networks.
Recommended defensive actions
- Identify whether BACnet ATEC 550-440, 550-441, 550-445, or 550-446 devices are in use and document where they sit in the BACnet network.
- Restrict access to BACnet MSTP segments to trusted controllers and maintenance systems only.
- Review segmentation and bridging between BACnet networks and other network zones to reduce exposure to same-network attackers.
- Monitor for abnormal BACnet MSTP traffic and device hang behavior, and ensure operators have a tested recovery procedure for power-cycle restoration.
- Apply CISA and vendor defense-in-depth guidance for industrial control systems, including least-privilege network access and layered segmentation.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-25-135-03 and the Siemens security advisory SSA-828116, both published on 2025-05-13. The supplied advisory text explicitly states that affected devices mishandle specific BACnet MSTP messages, that a same-network attacker can cause a denial of service, and that a power cycle is required for recovery. The supplied remediations field states that no fix is currently planned. No KEV entry is indicated in the provided data.
Official resources
-
CVE-2025-40556 CVE record
CVE.org
-
CVE-2025-40556 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA and Siemens published the advisory on 2025-05-13 for Siemens BACnet ATEC devices. The supplied advisory states that no fix is currently planned for the affected models.