OTPulse
FeedAboutContact

Siemens BACnet ATEC Devices

Monitor6.5ICS-CERT ICSA-25-135-03May 13, 2025
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Siemens BACnet ATEC 550-440, 550-441, 550-445, and 550-446 devices are vulnerable to a denial of service attack via a specially crafted MSTP (Master-Slave/Token Passing) message. An attacker residing on the BACnet network can trigger a crash that requires a manual power cycle to restore normal operation. Siemens has no fix planned for this vulnerability.

What this means
What could happen
An attacker on the same BACnet network can send a malformed message that crashes BACnet ATEC devices, forcing a manual power cycle to restore them to service. This could cause temporary loss of HVAC or other building automation control.
Who's at risk
Building automation and HVAC system operators running Siemens BACnet ATEC 550 series devices. These are commonly used in energy facilities and large commercial buildings to control heating, cooling, and ventilation. Any organization with these devices on an accessible network should assess their exposure.
How it could be exploited
An attacker with access to the BACnet network (MSTP/RS-485 serial or IP backbone) can send a specially crafted MSTP message to any ATEC device. The device crashes and stops responding to BACnet commands until power-cycled.
Prerequisites
  • Access to the BACnet network (MSTP serial segment or IP network running BACnet/IP)
  • Knowledge of target device address or ability to discover it on the network
  • Ability to craft and transmit BACnet MSTP protocol messages
No patch availableRequires attacker on the same network (MSTP/BACnet segment)Low complexity attackAffects availability of building automation controlsNo authentication required to send MSTP message
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
BACnet ATEC 550-441All versionsNo fix (EOL)
BACnet ATEC 550-445All versionsNo fix (EOL)
BACnet ATEC 550-440All versionsNo fix (EOL)
BACnet ATEC 550-446All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRestrict BACnet network access to trusted engineering workstations and building automation servers only. Use access lists or firewall rules.
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDDocument the location and IP/MSTP addresses of all ATEC devices so you can identify and remotely power-cycle them if needed. Test your power cycle procedure in advance.
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: BACnet ATEC 550-441, BACnet ATEC 550-445, BACnet ATEC 550-440, BACnet ATEC 550-446. Apply the following compensating controls:
HARDENINGImplement network segmentation to restrict access to BACnet networks. Use firewalls or air gaps to prevent unauthorized devices from reaching MSTP segments.
HARDENINGMonitor BACnet network traffic for anomalous or malformed messages. Configure logging on any BACnet gateways or interfaces.
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/be212d60-c351-437a-a3ee-a9c019557763
Siemens BACnet ATEC Devices | CVSS 6.5 - OTPulse