PatchSiren cyber security CVE debrief
CVE-2025-40944 Siemens CVE debrief
CVE-2025-40944 is a network-reachable denial-of-service issue affecting multiple Siemens SIMATIC and SIPLUS industrial communication products. A valid S7 protocol Disconnect Request (COTP DR TPDU) sent to TCP port 102 can place affected devices into an improper session state, causing them to become unresponsive until they are power-cycled. CISA’s republication of Siemens ProductCERT guidance lists network access restrictions as the primary mitigation, with fixes available for some affected products and no fix planned for others.
- Vendor
- Siemens
- Product
- SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0)
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-13
- Original CVE updated
- 2026-02-12
- Advisory published
- 2026-01-13
- Advisory updated
- 2026-02-12
Who should care
OT and ICS defenders, plant operators, Siemens SIMATIC/SIPLUS administrators, and anyone exposing S7 communication services on TCP port 102 to non-trusted networks.
Technical summary
The advisory describes an availability issue in Siemens SIMATIC ET 200 and related SIPLUS product variants. When the device receives a valid S7 Disconnect Request (COTP DR TPDU) on TCP port 102, it can enter an improper session state and stop responding. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, consistent with a high-severity denial-of-service condition. The affected-product list is broad, and remediation differs by model: some products have vendor updates, while others are marked as having no fix planned in the advisory.
Defensive priority
High. Treat as urgent if any affected Siemens device is reachable on TCP port 102 from untrusted or broadly accessible networks.
Recommended defensive actions
- Restrict TCP port 102 access so only trusted hosts and management networks can reach affected devices.
- Segment OT networks that exchange S7 traffic and remove unnecessary routing paths to the devices.
- Apply Siemens vendor updates where available for the exact product and firmware line listed in the advisory.
- For products marked with no fix planned, rely on compensating controls such as firewall allowlisting and strict network access control.
- Validate exposure by inventorying which affected Siemens models are in service and whether port 102 is reachable beyond trusted engineering stations.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-015-04, which republishes Siemens ProductCERT advisory SSA-674753, and on the supplied CVE metadata. The corpus states that affected devices do not properly handle S7 session disconnect requests, that the condition can require a power cycle to restore operation, and that CISA/Siemens recommend filtering or restricting access to TCP port 102 and S7 communication networks. The advisory also includes product-specific vendor fixes for some models and 'no fix planned' for others.
Official resources
-
CVE-2025-40944 CVE record
CVE.org
-
CVE-2025-40944 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA as ICSA-26-015-04 on 2026-01-13, with later advisory updates on 2026-01-14, 2026-02-10, and 2026-02-12. The supplied source corpus identifies Siemens ProductCERT advisory SSA-674753 as the underlying vendor notice