Siemens Interniche IP-Stack
Plan PatchCVSS 7.5ICS-CERT ICSA-25-352-05Dec 9, 2025
SiemensEnergyManufacturingTransportation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The Interniche IP-Stack used in Siemens industrial products does not properly enforce TCP sequence number validation. It accepts sequence numbers within a broad range instead of strictly validating them, allowing unauthenticated remote attackers to interfere with TCP connection setup. This vulnerability affects TCP-based services and requires precise timing and spoofed IP packet injection to exploit. A successful attack can cause denial of service by disrupting communications to industrial controllers and modules.
What this means
What could happen
An attacker could disrupt TCP communications to your PLCs, I/O modules, and network couplers, potentially causing loss of process visibility or control. If your automation relies on TCP-based protocols (PROFINET, Ethernet/IP, or custom messaging), network unavailability could stop production or halt critical infrastructure operations.
Who's at risk
Water authorities, electric utilities, and manufacturing plants using Siemens SIMATIC S7 series PLCs (S7-200 SMART, S7-300, S7-400, S7-1200, S7-1500), distributed I/O modules (ET 200 series), network couplers (PN/PN, PN/MF), communication modules, and specialized controllers (TDC, SIMOCODE, SINUMERIK) are affected. The risk is highest for facilities that rely on Ethernet-based process control and have these devices directly or indirectly connected to plant networks.
How it could be exploited
An attacker on the network (or with routing visibility to your devices) sends specially crafted TCP packets with spoofed source IP addresses and relaxed sequence numbers to a device running affected firmware. By timing these packets precisely during connection setup, the attacker can inject data or reset established connections, causing TCP services to fail or hang. The attack requires network reachability to the affected device's Ethernet port and does not require login credentials.
Prerequisites
- Network reachability to the device's Ethernet port
- Ability to send IP packets with spoofed source addresses (requires layer 3 or layer 2 access)
- Precise timing during TCP connection initiation or data transfer
- Device must be actively using TCP-based communication
Remotely exploitableNo authentication requiredAffects production devices (PLCs, I/O modules, couplers)Large number of device models affectedMany products have no fix available
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (145)
45 with fix100 pending
ProductAffected VersionsFix Status
SIDOOR ATD430WAll versionsNo fix yet
SIDOOR ATE530G COATEDAll versionsNo fix yet
SIDOOR ATE530S COATEDAll versionsNo fix yet
SIMATIC CFU DIQ< 2.0.02.0.0
SIMATIC CFU PA< 2.0.02.0.0
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDRestrict TCP network access to affected devices to trusted engineering workstations and known industrial control networks only
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
SIMATIC PN/PN Coupler
HOTFIXUpdate SIMATIC PN/PN Coupler to version 6.0.0 or later
SIMATIC CFU DIQ
HOTFIXUpdate SIMATIC CFU DIQ and CFU PA to version 2.0.0 or later
All products
HOTFIXUpdate SIMATIC S7-1200 CPUs to firmware version 4.4.0 or later
HOTFIXUpdate SIMATIC S7-410 V8 CPU family to firmware version 8.3 or later
HOTFIXUpdate SIMATIC S7-410 V10 CPU family to firmware version 10.2 or later
HOTFIXUpdate SIMATIC ET 200SP IM 155-6 PN HA to version 1.3 or later
Long-term hardening
0/1HARDENINGDisable Ethernet ports on CPUs where possible and use dedicated communication modules (CP) for all network traffic instead
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/74824a19-b33c-481d-beec-72917416cb4aGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.