Siemens Interniche IP-Stack
Plan Patch7.5ICS-CERT ICSA-25-352-05Dec 9, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple Siemens industrial products containing the Interniche IP-Stack do not properly enforce TCP sequence number validation in specific scenarios. An unauthenticated remote attacker could exploit weak TCP sequence number validation to interfere with TCP connection setup, potentially causing denial of service. The attack requires precise timing to inject IP packets with spoofed source addresses and only affects TCP-based services.
What this means
What could happen
An attacker with network access could disrupt TCP communication to PLCs and industrial modules, causing temporary loss of connectivity or service interruption. This could affect real-time process control or remote monitoring until the connection is reestablished.
Who's at risk
Water utilities and electric utilities operating Siemens S7-300, S7-400, S7-1200, S7-1500, S7-200 SMART PLCs and distributed I/O modules (ET 200 family) for process control and remote terminal units (RTUs). Also affects SIPLUS hardened variants used in railway, manufacturing, and power plants. The vulnerability affects both compact and modular PLC architectures and specialized devices like weighing terminals (SIWAREX) and industrial motor controllers (SIMOCODE).
How it could be exploited
An attacker on the network sends carefully timed TCP packets with spoofed IP addresses that exploit weak sequence number validation during TCP connection setup. If the attacker's crafted packets arrive at the right moment, they can corrupt or reset legitimate TCP sessions to industrial controllers, causing a denial of service to that device's network services.
Prerequisites
- Network access to the affected device on the same network segment or routable path
- Ability to inject IP packets with spoofed source addresses (requires network position allowing packet injection)
- Target device must be using TCP-based communication (PROFINET over TCP or similar)
- Precise timing of packet injection relative to TCP handshake window
remotely exploitableno authentication requiredlow complexity attackaffects core PLC platforms widely deployed in critical infrastructuremajority of affected products have no fix availableimpacts process connectivity and availability
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (145)
45 with fix100 pending
ProductAffected VersionsFix Status
SIDOOR ATD430WAll versionsNo fix yet
SIDOOR ATE530G COATEDAll versionsNo fix yet
SIDOOR ATE530S COATEDAll versionsNo fix yet
SIMATIC CFU DIQ< 2.0.02.0.0
SIMATIC CFU PA< 2.0.02.0.0
Remediation & Mitigation
0/9
Do now
0/2WORKAROUNDFor devices without vendor fixes, disable onboard Ethernet ports on CPUs and route all TCP communication through separate communication modules (CP cards)
WORKAROUNDImplement firewall rules to restrict TCP access to industrial controllers to known trusted engineering workstations and SCADA servers only
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
SIMATIC PN/PN Coupler
HOTFIXUpdate SIMATIC PN/PN Coupler and SIPLUS NET PN/PN Coupler to version 6.0.0 or later
SIMATIC CFU DIQ
HOTFIXUpdate SIMATIC CFU DIQ and CFU PA to version 2.0.0 or later
All products
HOTFIXUpdate affected S7-1200 CPUs to firmware version 4.4.0 or later
HOTFIXUpdate SIMATIC S7-410 V10 CPU family to version 10.2 or later
HOTFIXUpdate SIMATIC S7-410 V8 CPU family to version 8.3 or later
HOTFIXUpdate SIMATIC ET 200SP IM 155-6 PN HA to version 1.3 or later
Long-term hardening
0/1HARDENINGSegment industrial control network from corporate network and untrusted networks using firewalls and VLANs to limit attacker ability to inject spoofed packets
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/74824a19-b33c-481d-beec-72917416cb4a