Siemens TCP Stack of SIMATIC MV400

Plan Patch7.5ICS-CERT ICSA-21-068-07Mar 9, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A flaw in the TCP stack of the Siemens SIMATIC MV400 motor control device allows a remote attacker to send a malformed TCP packet that crashes the device or renders it unresponsive, causing a denial of service. The vulnerability affects all SIMATIC MV400 firmware versions prior to v7.0.6 and requires only network-level access to exploit; no credentials or user interaction is needed. The device will remain unavailable until manually restarted, potentially interrupting process operations.

What this means

What could happen

An attacker with network access to the SIMATIC MV400 could send a specially crafted network packet to cause the device to stop responding (denial of service), disrupting whatever process the device controls—such as motor operation, heating control, or power distribution—until the device is manually restarted.

Who's at risk

Organizations operating Siemens SIMATIC MV400 medium-voltage motor control systems should prioritize this advisory. The SIMATIC MV400 is used in power distribution systems, water treatment facilities, and industrial motor control applications. Any facility using MV400 for critical process control, pump operation, or electrical distribution is affected.

How it could be exploited

An attacker sends a malformed TCP packet to the SIMATIC MV400 over the network (port 102 or other configured TCP service ports). The device's TCP stack fails to handle the malformed packet correctly, causing the device to crash or become unresponsive. No credentials or prior device access is required.

Prerequisites

Network access to SIMATIC MV400 TCP service ports (typically port 102 for S7 communication, or other configured service ports)
Device must be running firmware version prior to v7.0.6

remotely exploitableno authentication requiredlow complexity attackcauses denial of service (process interruption)affects industrial control system

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

SIMATIC MV400 family: All<V7.0.67.0.6

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to SIMATIC MV400 using firewall rules; only allow traffic from authorized engineering workstations and HMI systems on known TCP ports

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade SIMATIC MV400 to firmware version 7.0.6 or later

Long-term hardening

0/2

HARDENINGIsolate the SIMATIC MV400 on a dedicated industrial network segment with no direct connectivity to corporate IT network or Internet

HARDENINGImplement network segmentation and air-gap industrial control network from business network

CVEs (2)

CVE-2020-25241 CVE-2020-27632

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/277ad1bc-8446-411c-ac68-1e14b8da47fe