Siemens MS/TP Point Pickup Module

MonitorCVSS 6.5ICS-CERT ICSA-25-135-16May 13, 2025

SiemensEnergy

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

MS/TP Point Pickup Module devices contain a denial of service vulnerability (CWE-20: improper input validation) that allows an attacker on the BACnet network to crash the device by sending a specially crafted MS/TP message. The affected device becomes unresponsive and requires a power cycle to restore normal operation. This vulnerability affects all versions of the product and Siemens has indicated no fix is planned.

What this means

What could happen

An attacker on the BACnet network can crash the MS/TP Point Pickup Module by sending a malformed message, requiring a manual power cycle to restore device operation and potentially interrupting building automation or control functions that depend on the module.

Who's at risk

Building automation and HVAC system operators who rely on Siemens MS/TP Point Pickup Modules for sensor data collection and control in BACnet networks. This includes energy and facility management sectors in commercial buildings, universities, hospitals, and industrial plants.

How it could be exploited

An attacker with access to the same BACnet network sends a specially crafted MS/TP (Master-Slave/Token-Passing) message directly to the Point Pickup Module. The device does not properly validate the message format, crashes, and stops responding until manually power-cycled.

Prerequisites

Network access to the BACnet network containing the device
Ability to construct and send MS/TP protocol messages (requires either direct BACnet device access or compromised node on the BACnet network)

Remotely exploitable from within BACnet networkNo authentication requiredLow complexity attackNo patch availableAffects critical building automation functionsRequires manual intervention to restore

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

MS/TP Point Pickup ModuleAll versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict network access to BACnet networks containing MS/TP Point Pickup Module devices using firewall rules or network segmentation; ensure these devices are not reachable from untrusted networks or the Internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement network monitoring to detect malformed MS/TP messages or suspicious BACnet traffic targeting the Point Pickup Module

WORKAROUNDEstablish a documented incident response procedure for rapid power cycling of the device if a denial of service event occurs

CVEs (1)

CVE-2025-24510

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f60abef9-f9d8-4082-bd9c-f0557ab88ff6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.