Siemens SIMATIC and SIPLUS products
Plan Patch7.5ICS-CERT ICSA-26-015-04Jan 13, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens ET 200 distributed interface modules and PN couplers contain a denial-of-service vulnerability in the S7 protocol implementation. By sending a valid S7 COTP Disconnect Request (DR TPDU) to port 102, an attacker can cause affected modules to become unresponsive and stop processing I/O operations. Recovery requires a manual power cycle. The vulnerability affects multiple product lines, including SIMATIC ET 200AL, ET 200MP, ET 200SP modules (various models) and SIPLUS hardened variants, as well as PN/MF and PN/PN coupler modules. Some product variants have no fix planned and remain vulnerable in all versions.
What this means
What could happen
An attacker on your network can send a disconnect request to ET 200 interface modules over Profinet, causing them to stop responding and requiring a manual power cycle to recover. This interrupts any process automation those modules control.
Who's at risk
Energy and transportation operators using Siemens ET 200 distributed I/O modules and PN/MF or PN/PN couplers in Profinet networks. This includes any facility with SIMATIC or SIPLUS variants controlling remote input/output stations, which are common in power substations, rail control systems, and water treatment plants where they manage sensors and actuators across a distributed automation network.
How it could be exploited
An attacker with network access to port 102 (Profinet S7 protocol) on an ET 200 device sends a valid S7 COTP Disconnect Request packet. The device incorrectly processes this message and becomes unresponsive, losing its connection to the control system and halting operations controlled by that module.
Prerequisites
- Network access to port 102 (Profinet S7 protocol) on the ET 200 device
- No authentication required—S7 protocol does not require credentials for disconnect requests
- Device must be reachable from the attacker's network segment
remotely exploitableno authentication requiredlow complexity attackno patch available for 9 product variantsaffects industrial automation modules in critical infrastructure
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (15)
5 with fix10 EOL
ProductAffected VersionsFix Status
SIMATIC ET 200SP IM 155-6 MF HFAll versionsNo fix (EOL)
SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL≥ 4.2.0No fix (EOL)
SIPLUS ET 200SP IM 155-6 PN HF TX RAIL≥ 4.2.0No fix (EOL)
SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants)< 1.31.3
SIMATIC ET 200SP IM 155-6 PN R1< 6.0.16.0.1
SIMATIC ET 200SP IM 155-6 PN/3 HF< 4.2.24.2.2
SIMATIC PN/PN Coupler< 6.0.06.0.0
SIPLUS NET PN/PN Coupler< 6.0.06.0.0
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDConfigure external firewall rules to restrict port 102 access to only trusted IP addresses and machines that require S7 communication (engineering workstations, PLCs, SCADA servers)
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
SIMATIC ET 200SP IM 155-6 PN/3 HF
HOTFIXUpdate SIMATIC ET 200SP IM 155-6 PN/3 HF to firmware version 4.2.2 or later
SIMATIC PN/PN Coupler
HOTFIXUpdate SIMATIC PN/PN Coupler to firmware version 6.0.0 or later
SIPLUS NET PN/PN Coupler
HOTFIXUpdate SIPLUS NET PN/PN Coupler to firmware version 6.0.0 or later
SIMATIC ET 200SP IM 155-6 PN R1
HOTFIXUpdate SIMATIC ET 200SP IM 155-6 PN R1 to firmware version 6.0.1 or later
All products
HOTFIXUpdate SIMATIC ET 200SP IM 155-6 PN HA (including SIPLUS variants) to firmware version 1.3 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SIMATIC ET 200SP IM 155-6 MF HF, SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL, SIPLUS ET 200SP IM 155-6 PN HF TX RAIL, SIMATIC ET 200AL IM 157-1 PN, SIMATIC ET 200MP IM 155-5 PN HF, SIMATIC ET 200SP IM 155-6 PN/2 HF, SIMATIC PN/MF Coupler, SIPLUS ET 200MP IM 155-5 PN HF, SIPLUS ET 200SP IM 155-6 PN HF, SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL. Apply the following compensating controls:
HARDENINGIsolate the network segment where S7 communication messages are exchanged to prevent unauthorized access from other plant networks or external connections
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d849436f-6d20-4473-8b7d-ba2055a209dc