Executive Summary
In January 2026, Siemens publicly disclosed a denial-of-service vulnerability (CVE-2025-40944) impacting multiple SIMATIC and SIPLUS products used widely in critical manufacturing environments. The flaw allows an attacker to send a specially crafted S7 protocol Disconnect Request (COTP DR TPDU) over TCP port 102, which causes affected devices to become unresponsive, requiring a physical power cycle to restore service. While some products have received security updates, many still await permanent fixes. Incident response measures include network segmentation and port filtering to mitigate risk, as exploitation could disrupt operational technology and industrial control systems worldwide.
This incident is especially relevant amid the ongoing focus on industrial cyber defenses, as threat actors increasingly target operational technology. The vulnerability highlights persistent risks from protocol weaknesses and layered third-party supply chains, underscoring the importance of proactive risk management, segmentation, and maintaining up-to-date mitigations in ICS environments.
Why This Matters Now
Industrial control systems are frequent targets for disruptive cyberattacks, and unpatched DoS vulnerabilities can have cascading effects on manufacturing operations and supply chains. With critical infrastructure increasingly under threat, this Siemens issue underscores the urgency for vendors and end users to apply network restrictions and update affected products to minimize potential downtime.
Attack Path Analysis
The attacker remotely targeted Siemens SIMATIC and SIPLUS devices by sending crafted S7 Disconnect Requests to exposed TCP port 102, exploiting an uncontrolled resource consumption vulnerability. No privilege escalation was needed as devices failed open to unauthorized disconnects. Lateral movement could occur if attackers reached additional PLCs on the same flat network segment. The attacker maintained command and control through continued protocol-level interactions. While exfiltration was not the objective, traffic monitoring remains critical. Ultimately, the device went offline, causing denial of service and operational disruption until manual recovery.
Kill Chain Progression
Initial Compromise
Description
Attackers accessed exposed network interfaces for Siemens PLCs over TCP port 102 and delivered a valid S7 Disconnect Request to trigger the vulnerability.
Related CVEs
CVE-2025-40944
CVSS 7.5A vulnerability in Siemens SIMATIC and SIPLUS products allows an attacker to send a valid S7 protocol Disconnect Request (COTP DR TPDU) on TCP port 102, causing the device to become unresponsive and require a power cycle to recover.
Affected Products:
Siemens SIMATIC ET 200AL IM 157-1 PN – All versions
Siemens SIMATIC ET 200MP IM 155-5 PN HF – All versions >= V4.2.0
Siemens SIMATIC ET 200SP IM 155-6 MF HF – All versions
Siemens SIMATIC ET 200SP IM 155-6 PN HA – All versions < V1.3
Siemens SIMATIC ET 200SP IM 155-6 PN R1 – All versions < V6.0.1
Siemens SIMATIC ET 200SP IM 155-6 PN/2 HF – All versions >= V4.2.0
Siemens SIMATIC ET 200SP IM 155-6 PN/3 HF – All versions < V4.2.2
Siemens SIMATIC PN/MF Coupler – All versions
Siemens SIMATIC PN/PN Coupler – All versions < V6.0.0
Siemens SIPLUS ET 200MP IM 155-5 PN HF – All versions >= V4.2.0
Siemens SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL – All versions >= V4.2.0
Siemens SIPLUS ET 200SP IM 155-6 PN HF – All versions >= V4.2.0
Siemens SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL – All versions >= V4.2.0
Siemens SIPLUS ET 200SP IM 155-6 PN HF TX RAIL – All versions >= V4.2.0
Siemens SIPLUS NET PN/PN Coupler – All versions < V6.0.0
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques are mapped for industry relevance and filtering; further enrichment with full TTP context and STIX/TAXII is possible for advanced use cases.
Endpoint Denial of Service
Denial of Service
Network Denial of Service
Hardware Additions
Exploit Public-Facing Application
Service Stop
Modify System Process
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Network Access Control
Control ID: 1.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: Section 500.03
DORA – ICT Risk Management Framework
Control ID: Article 9(2)
CISA ZTMM 2.0 – Network Segmentation Controls
Control ID: Network and Environment - Segmentation
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
Critical DoS vulnerability in Siemens SIMATIC/SIPLUS products threatens operational continuity, requiring power cycles and comprehensive network segmentation with encrypted traffic protection.
Utilities
S7 protocol exploitation enables facility-wide shutdowns of critical infrastructure, demanding immediate firewall filtering and zero trust segmentation for operational resilience.
Oil/Energy/Solar/Greentech
Manufacturing control systems face uncontrolled resource consumption attacks via TCP port 102, necessitating east-west traffic security and anomaly detection capabilities.
Automotive
Production line disruptions from PROFINET network vulnerabilities require multicloud visibility, inline IPS protection, and comprehensive threat detection across manufacturing environments.
Sources
- Siemens SIMATIC and SIPLUS productshttps://www.cisa.gov/news-events/ics-advisories/icsa-26-015-04Verified
- Siemens Security Advisory SSA-674753https://cert-portal.siemens.com/productcert/html/ssa-674753.htmlVerified
- NVD - CVE-2025-40944https://nvd.nist.gov/vuln/detail/CVE-2025-40944Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Network segmentation, protocol-specific filtering, and robust lateral movement controls would have blocked unauthorized S7 access and contained the attack to a single device, preventing propagation and minimizing downtime. Zero trust enforcement and anomaly detection increase resilience against protocol abuse and ensure only authorized communications reach protected workloads.
Control: Cloud Firewall (ACF)
Mitigation: Prevents untrusted network access to management/protocol ports.
Control: Zero Trust Segmentation
Mitigation: Enforces least privilege and blocks protocol access from unauthorized zones.
Control: East-West Traffic Security
Mitigation: Detects and blocks workload-to-workload protocol traffic outside approved paths.
Control: Threat Detection & Anomaly Response
Mitigation: Alerts and optionally halts anomalous protocol use/dos attempts.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized outbound sessions from critical devices.
Minimizes blast radius and operational downtime through automated isolation.
Impact at a Glance
Affected Business Functions
- Industrial Automation
- Manufacturing Operations
Estimated downtime: 2 days
Estimated loss: $50,000
No data exposure reported; the vulnerability leads to a denial-of-service condition requiring a power cycle to restore normal operation.
Recommended Actions
Key Takeaways & Next Steps
- • Strictly segment industrial control networks using zero trust segmentation and cloud-native firewalls to restrict protocol port exposure.
- • Implement least-privilege, identity-based network policies so only approved engineering assets can access PLC/ICS protocol ports.
- • Enforce comprehensive east-west traffic controls and internal microsegmentation to prevent lateral movement after initial compromise.
- • Deploy inline threat detection and real-time anomaly response to monitor for and rapidly alert on S7 protocol abuse and DoS behavior.
- • Ensure all egress from OT/ICS devices is tightly governed and monitored to detect attempted exfiltration or unauthorized communications.
