Siemens APOGEE PXC and TALON TC Series

MonitorCVSS 4.7ICS-CERT ICSA-25-135-14May 13, 2025

SiemensEnergy

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

APOGEE PXC and TALON TC Series BACnet controllers contain a vulnerability that causes them to send unsolicited broadcast messages after receiving a specially crafted BACnet createObject request. This results in a partial denial of service—the device stops responding to normal BACnet requests and must be power-cycled to recover. An attacker on the same BACnet network can exploit this to disrupt HVAC and building automation control. Siemens has stated no fix is planned for this product line. Mitigation requires network segmentation and access controls to limit BACnet exposure.

What this means

What could happen

An attacker on the same BACnet network can send a crafted message to crash a PXC or TALON TC controller, stopping it from communicating until manually power-cycled. This disrupts HVAC and building automation control.

Who's at risk

Facilities managers and HVAC technicians operating building automation systems using Siemens APOGEE PXC or TALON TC controllers connected to BACnet networks. This includes commercial buildings, hospitals, universities, and large industrial facilities with centralized environmental control.

How it could be exploited

An attacker with network access to the BACnet segment sends a specially crafted createObject BACnet request to the target device. The device processes this request and begins broadcasting unsolicited messages continuously, consuming network bandwidth and stopping normal operation. A power cycle is required to restore normal function.

Prerequisites

Network access to the BACnet network segment where the target device is connected
Ability to send BACnet protocol messages to the device
No authentication credentials required

remotely exploitable from BACnet networkno authentication requiredlow complexityno patch availableaffects operational availability

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

APOGEE PXC+TALON TC Series (BACnet)All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDisable BACnet network access for APOGEE PXC and TALON TC devices that do not require it, or restrict BACnet communication to a protected management VLAN

Mitigations - no patch available

0/3

APOGEE PXC+TALON TC Series (BACnet) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate BACnet network segments from untrusted networks using firewalls or network segmentation, restricting access to building automation devices only from authorized engineering and facilities workstations

HARDENINGConfigure network access controls to limit BACnet traffic to known, authorized devices and exclude internet-accessible pathways

HARDENINGImplement network monitoring to detect unusual BACnet createObject requests or excessive broadcast messages and alert operations staff

CVEs (1)

CVE-2025-40555

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2da8101e-5478-4c1a-a87e-acc231edbece

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.