OTPulse
FeedAboutContact

Denial of Service Vulnerability in MS/TP Point Pickup Module

Monitor6.5SSA-668154May 13, 2025
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

MS/TP Point Pickup Module devices are vulnerable to a denial of service attack. An attacker on the same BACnet network can send a specially crafted MSTP message to crash the device. A power cycle is required to restore normal operation. No firmware fix is available.

What this means
What could happen
An attacker on the same BACnet network can crash the MS/TP Point Pickup Module with a specially crafted message, requiring a power cycle to restore operation and interrupting building automation or HVAC control until manual recovery.
Who's at risk
Building automation and facilities management operators responsible for HVAC, temperature control, and occupancy sensors should prioritize this. Any water authority or utility using Siemens MS/TP Point Pickup Modules for building control is affected.
How it could be exploited
An attacker with access to the BACnet network segment sends a malformed MSTP message to the Point Pickup Module, causing the device to stop responding. No special credentials or interaction are required; the device crashes upon receipt of the crafted packet.
Prerequisites
  • Access to the BACnet network segment where the MS/TP Point Pickup Module is connected
  • Ability to craft and send MSTP protocol messages
no patch availableremotely exploitable within BACnet networklow complexityno authentication required
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
MS/TP Point Pickup ModuleAll versionsNo fix (EOL)
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor BACnet network for anomalous MSTP messages and unusual restart patterns on Point Pickup Modules
Mitigations - no patch available
0/2
MS/TP Point Pickup Module has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate the BACnet network segment containing MS/TP devices behind a firewall or network boundary to restrict traffic to known building automation control systems and exclude external/untrusted network sources
HARDENINGImplement network segmentation so that BACnet MSTP devices are not directly reachable from IT networks, operational technology networks outside the building automation scope, or any untrusted zones
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/437d9b63-fcca-4de9-9da0-4dd4aca38cf7