CVE-2025-40578 Siemens CVE debrief

Who should care

OT/ICS operators, network engineers, and security teams responsible for Siemens SCALANCE LPE9403 deployments, especially where Profinet and DCP are reachable on industrial networks.

Technical summary

The advisory says affected devices do not properly handle multiple incoming Profinet packets received in rapid succession. The result is a crash of the dcpd process caused by an unauthenticated remote attacker. The supplied CVSS vector is CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating availability-only impact with adjacent-network attack requirements. CISA identifies the affected product as Siemens SCALANCE LPE9403 (6GK5998-3GS00-2AC2) and states that no fix is currently available.

Defensive priority

Moderate priority for exposed OT networks. Because the flaw is remotely triggerable from an adjacent network and no patch is available in the supplied advisory, exposure reduction and service mitigation should be prioritized.

Recommended defensive actions

• Disable the Profinet Discovery and Configuration Protocol (DCP) service on affected devices, per the advisory.
• Reduce exposure of affected devices by segmenting OT networks and limiting reachability from other systems.
• Apply CISA ICS recommended practices and defense-in-depth guidance to reduce the impact of a device crash.
• Monitor Siemens and CISA advisory updates for any future fix or additional mitigation guidance.
• Coordinate any DCP changes with operational stakeholders before implementation.

Evidence notes

Primary evidence comes from the CISA CSAF advisory ICSA-25-135-18 and the Siemens advisory references SSA-327438. The supplied source states that rapid successive Profinet packets can crash dcpd, identifies Siemens SCALANCE LPE9403 as affected, and lists no fix available at publication time.

Official resources