PatchSiren cyber security CVE debrief
CVE-2025-40820 Siemens CVE debrief
A TCP sequence number validation weakness in Siemens industrial products allows unauthenticated remote attackers to interfere with connection setup, potentially causing denial of service. The attack requires precise timing and the ability to inject spoofed IP packets, limiting practical exploitability but not eliminating risk for exposed TCP-based services.
- Vendor
- Siemens
- Product
- SIDOOR ATD430W
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-09
- Original CVE updated
- 2025-12-18
- Advisory published
- 2025-12-09
- Advisory updated
- 2025-12-18
Who should care
Industrial control system operators, OT security teams, critical infrastructure defenders, manufacturing security engineers, and asset owners using Siemens SIMATIC S7-1200/1500, ET 200SP, ET 200eco PN, ET 200pro, ET 200MP, ET 200AL, ET 200clean, CFU, SIDOOR, and S7-200 SMART product families.
Technical summary
The vulnerability stems from improper TCP sequence number validation in the Interniche IP-Stack implementation used across Siemens industrial product lines. Affected systems accept sequence numbers within an overly broad range rather than strictly validating expected values. This enables an off-path attacker who can inject spoofed IP packets with valid sequence numbers to disrupt TCP connection establishment. The attack is timing-dependent—packets must arrive at precise moments during the TCP handshake—and only affects TCP-based services. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects network accessibility, low attack complexity, no privileges required, and high availability impact. Siemens has released patches for some product lines; others have no fix planned or available, requiring network-level mitigations.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor patches where available: update SIDOOR ATD430W to V1.3+, SIMATIC ET 200SP IM 155-6 PN HF to V10.2+, affected SIMATIC CFU/ET 200eco PN/ET 200SP IM modules to V2.0.0+, S7-1200/1500/ET 200SP CPU modules to V4.4
- For products with no planned fix, disable embedded Ethernet ports and use external communication modules (CP) for network connectivity
- Restrict TCP accessibility to trusted IP addresses through network segmentation and firewall rules as a workaround for all affected products
- Monitor for anomalous TCP connection failures, connection reset patterns, and timing anomalies in industrial network traffic
- Implement defense-in-depth controls per CISA ICS recommended practices including network segmentation, access control, and continuous monitoring
Evidence notes
CVE published 2025-12-09; CISA republished Siemens ProductCERT advisory 2025-12-18. CVSS 7.5 (HIGH) per source. Affects 80+ Siemens SIMATIC and SIDOOR product variants using Interniche IP-Stack. Attack requires spoofed IP packet injection at precisely timed moments against TCP-based services.
Official resources
-
CVE-2025-40820 CVE record
CVE.org
-
CVE-2025-40820 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-09