OTPulse
FeedAboutContact

Siemens MS/TP Point Pickup Module

Monitor6.5ICS-CERT ICSA-25-135-16May 13, 2025
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

MS/TP Point Pickup Module devices contain a denial of service vulnerability in MS/TP message handling. An attacker on the same BACnet network can send a specially crafted MSTP message that causes the device to stop responding. Recovery requires manual power cycling. Siemens has not planned a firmware fix for this vulnerability. Mitigation depends on network segmentation and access control to restrict who can reach the BACnet network.

What this means
What could happen
An attacker on the same BACnet network can send a specially crafted message that crashes the MS/TP Point Pickup Module, requiring a power cycle to restore operation. This causes a denial of service that could interrupt building automation or HVAC control functions.
Who's at risk
Energy sector organizations and any facility using Siemens MS/TP Point Pickup Modules for building automation, HVAC control, or other BACnet-based systems should assess their network topology. This affects any setup where the module is reachable from an untrusted or less-controlled network segment.
How it could be exploited
An attacker must be connected to or able to reach the BACnet network where the MS/TP Point Pickup Module is installed. They send a specially crafted MS/TP protocol message that triggers a denial of service condition in the device, causing it to stop responding until manually power-cycled.
Prerequisites
  • Network access to the BACnet MS/TP network segment
  • Ability to craft and transmit MS/TP protocol messages
no patch availablerequires network access to BACnet segmentaffects building automation and HVAC control systemsrequires power cycle to recover
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
MS/TP Point Pickup ModuleAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDImplement network access controls to restrict which devices can communicate with the MS/TP Point Pickup Module
Mitigations - no patch available
0/4
MS/TP Point Pickup Module has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment the BACnet network from untrusted networks using firewalls and access control lists
HARDENINGIsolate control system networks from business networks to limit the ability of attackers to reach BACnet segments
HARDENINGRestrict remote access to BACnet networks and use VPN with strong authentication if remote access is necessary
HARDENINGMonitor BACnet network traffic for suspicious or malformed MS/TP messages that could indicate exploitation attempts
View full CISA ICS-CERT advisory
โ†‘โ†“ Navigate ยท Esc Close
API: /api/v1/advisories/f60abef9-f9d8-4082-bd9c-f0557ab88ff6