Siemens BACnet ATEC Devices

MonitorCVSS 6.5ICS-CERT ICSA-25-135-03May 13, 2025

SiemensEnergy

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

BACnet ATEC devices (models 550-440, 550-441, 550-445, 550-446) contain a denial of service vulnerability in MSTP message handling. An attacker on the same BACnet network can send a specially crafted MSTP message that crashes the device, requiring a power cycle to restore normal operation. No firmware fix is planned by Siemens for any affected model.

What this means

What could happen

An attacker on the same BACnet network can send a malformed message that crashes these ATEC devices, requiring manual power-cycle restarts to restore operation. This interrupts monitoring and control of HVAC systems in building automation networks.

Who's at risk

Building automation operators and energy sector facilities managing HVAC control systems should care about this issue. It affects Siemens BACnet ATEC temperature controllers (models 550-440, 550-441, 550-445, 550-446) used in HVAC and facility climate control networks.

How it could be exploited

An attacker with network access to the BACnet network segment sends a specially crafted MSTP (Master-Slave Token Passing) protocol message to the target ATEC device. The device fails to validate the message properly, crashes, and stops responding to control commands until manually power-cycled.

Prerequisites

Network access to the BACnet network segment where the ATEC device is connected
Ability to send MSTP protocol messages on that network

No patch availableAffects climate/HVAC control equipmentDenial of service requires manual intervention to restore

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

BACnet ATEC 550-441All versionsNo fix (EOL)

BACnet ATEC 550-445All versionsNo fix (EOL)

BACnet ATEC 550-440All versionsNo fix (EOL)

BACnet ATEC 550-446All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGSegment the BACnet network from untrusted networks using firewalls or air-gap isolation to restrict which devices can send MSTP messages to ATEC devices

HARDENINGImplement network access controls (firewall rules, VLAN isolation, or switch port restrictions) to limit which devices can communicate with ATEC 550-440, 550-441, 550-445, and 550-446 devices

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor BACnet network traffic for malformed or suspicious MSTP messages targeting ATEC devices using network monitoring tools or IDS signatures if available

WORKAROUNDEstablish a monitoring process to detect ATEC device failures and trigger manual power-cycle recovery to minimize downtime when crashes occur

CVEs (1)

CVE-2025-40556

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/be212d60-c351-437a-a3ee-a9c019557763

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.