Siemens SIMOCODE, SIMATIC, SIPLUS, SIDOOR, SIWAREX
Monitor5.3ICS-CERT ICSA-25-105-03Apr 8, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the ICMP services within the TCP/IP stack of Siemens automation devices allows remote attackers to cause a denial of service through specially crafted ICMP packets with large payloads. A successful attack will temporarily affect ICMP service availability on affected devices until the attack ceases and the device restores itself. Other communication services and industrial protocol traffic are not affected. Siemens has released firmware updates for some products and recommends specific mitigations for products without fixes available.
What this means
What could happen
An attacker can send specially crafted ICMP packets to devices on your network, causing temporary loss of ICMP connectivity and availability until the attack stops. This affects monitoring and diagnostics that rely on ping and ICMP but does not impact other communications like industrial protocols.
Who's at risk
Water and electric utility operators running Siemens PLCs and distributed I/O modules (SIMATIC S7-300, S7-400, S7-1200, S7-1500, ET 200 series, SIMOCODE, SINUMERIK, SIWAREX weighing systems). Most affected are older CPUs and I/O modules where firmware updates are not available.
How it could be exploited
An attacker with network access to a device sends ICMP packets with oversized payloads to the device's IP address. The vulnerable TCP/IP stack processes these packets inefficiently, exhausting resources and causing the device to stop responding to ICMP requests until the attack ceases and the device recovers.
Prerequisites
- Network access to the device's IP address on the ICMP protocol (ICMP echo/ping)
- Ability to craft and send ICMP packets with large payloads
- Device must be connected to a network reachable from the attacker
Remotely exploitableNo authentication requiredLow attack complexityNo patch available for majority of affected productsAffects multiple product lines across energy and transportation sectors
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (138)
42 with fix96 pending
ProductAffected VersionsFix Status
SIMATIC ET 200SP CPU 1510SP F-1 PNAll versionsNo fix yet
SIMATIC ET 200SP CPU 1510SP-1 PNAll versionsNo fix yet
SIMATIC ET 200SP CPU 1512SP F-1 PNAll versionsNo fix yet
SIMATIC ET 200SP CPU 1512SP-1 PNAll versionsNo fix yet
SIMATIC ET 200SP IM 155-6 MF HFAll versionsNo fix yet
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDFor S7-400 H V6 CPU family devices without available patches, disable the Ethernet ports on the CPU and use a separate communication module (CP) for network communication instead
WORKAROUNDImplement packet filtering rules at network perimeter devices (firewalls, routers, IDS/IPS systems) to block ICMP packets with large payloads where operationally viable
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
SIMATIC CFU DIQ
HOTFIXUpdate to patched firmware versions for S7-1200 CPUs (version 4.4 or later), S7-410 V8 CPUs (version 8.3 or later), S7-410 V10 CPUs (version 10.2 or later), PN/PN Coupler (version 6.0.0 or later), ET 200SP IM 155-6 PN HA (version 1.3 or later), and SIMATIC CFU DIQ/PA (version 2.0.0 or later)
Long-term hardening
0/1HARDENINGFor devices without patches or workarounds available, segregate affected systems on isolated network segments or behind firewalls that can inspect and filter oversized ICMP packets
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/42c8b8f2-1e6b-4349-b4a7-1f4c85ff6d76