Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack

Monitor5.3SSA-446448Apr 12, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The PROFINET stack integrated with the Interniche TCP/IP library contains a vulnerability in packet validation that allows a network attacker to cause denial of service by sending crafted PROFINET messages. Affected devices will crash or stop responding, requiring manual restart. The vulnerability exists across a wide range of Siemens automation products including PLCs (S7-300, S7-400, S7-1500), distributed I/O modules (ET 200 series), and motor drives (SINAMICS). Siemens has released firmware updates for many product families but has designated several legacy and recent models (S7-400 V7 series, certain ET 200 variants, S110 drives, WinAC RTX, PROFINET couplers) as unfixable. For products with available patches, firmware updates must be deployed during maintenance windows as they may affect ongoing operations.

What this means

What could happen

An attacker on the network can send crafted PROFINET packets to cause a device to stop responding, disrupting production until the device is manually restarted. This affects distributed I/O modules, motor drives, and PLCs across manufacturing and infrastructure operations.

Who's at risk

Manufacturing facilities, water utilities, and transportation systems using Siemens SIMATIC S7-300/400 PLCs, S7-1500 controllers, ET 200 distributed I/O modules, SINAMICS variable frequency drives, and PROFINET-enabled devices are affected. This includes process control systems, motor control centers, and remote terminal units in critical infrastructure.

How it could be exploited

An attacker sends malformed PROFINET (ISO/IEC 61158) network packets to a vulnerable device's Ethernet interface. The defective PROFINET stack in the Interniche TCP/IP library fails to properly validate these packets, causing the device to crash or hang. No authentication is required; the attacker only needs network reachability to the device.

Prerequisites

Network access to PROFINET Ethernet port (port 34962 UDP or 34963 TCP)
Device must be running vulnerable firmware version with PROFINET stack enabled
No credentials or authentication required

Remotely exploitable over networkNo authentication requiredLow complexity attack (malformed packets)Affects availability (denial of service)Many products have no vendor patch available

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (76)

48 with fix28 pending

ProductAffected VersionsFix Status

SIMATIC S7-400 CPU 414-3 PN/DP V7All versionsNo fix yet

SIMATIC S7-400 CPU 414F-3 PN/DP V7All versionsNo fix yet

SIMATIC S7-400 CPU 416-3 PN/DP V7All versionsNo fix yet

SIMATIC S7-400 CPU 416F-3 PN/DP V7All versionsNo fix yet

SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants)< V6.0.106.0.10

Remediation & Mitigation

0/13

Do now

0/2

SINAMICS S110

HARDENINGFor products with no fix available (S7-400 V7 series, ET 200 variants ≥ v4.2.0, PN/PN Couplers ≥ 4.2, WinAC RTX, SINAMICS S110, HCS4200/4300), implement network segmentation to restrict PROFINET traffic to known engineering workstations and automation networks only

All products

HARDENINGIsolate unfixable legacy devices on dedicated PROFINET subnets with firewall rules blocking PROFINET traffic (UDP 34962, 34963) from untrusted network segments

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Long-term hardening

0/1

HARDENINGMonitor PROFINET networks for malformed packets using IDS/IPS rules targeting PROFINET stack anomalies

CVEs (1)

CVE-2022-25622

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close