Denial-of-Service Vulnerability in ET 200 Devices
Plan Patch7.5SSA-674753Jan 13, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens ET 200 devices contain a denial-of-service vulnerability that can be triggered by sending a valid S7 protocol Disconnect Request (COTP DR TPDU) packet. An affected device becomes unresponsive and requires manual power cycling to recover. Siemens has released firmware updates for some models but several variants remain without fixes. Affected devices include ET 200AL, ET 200MP, ET 200SP, and PN/PN Coupler units used in distributed industrial control networks.
What this means
What could happen
A remote attacker can send a specially crafted network packet to ET 200 devices, causing them to stop responding and require a manual power cycle to recover, interrupting your industrial operations.
Who's at risk
Energy and transportation operators using Siemens ET 200 distributed I/O terminals and network couplers in power substations, water treatment plants, pipelines, and rail systems should review this. All ET 200 variants are affected, with some device models having no fix available yet.
How it could be exploited
An attacker on the network sends a valid S7 protocol Disconnect Request (COTP DR TPDU) packet to the device's port. The device crashes and becomes unresponsive, requiring manual power cycling. This could be done from a compromised engineering workstation or external network if the device is reachable.
Prerequisites
- Network access to the Profinet port (port 102 typically)
- No authentication required
- Ability to send S7 protocol packets
Remotely exploitableNo authentication requiredLow complexity attackAffects industrial control devicesHigh availability impact (device requires power cycle)Multiple products without fixes available
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (15)
5 with fix10 EOL
ProductAffected VersionsFix Status
SIMATIC ET 200AL IM 157-1 PNAll versionsNo fix (EOL)
SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL≥ 4.2.0No fix (EOL)
SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL≥ 4.2.0No fix (EOL)
SIPLUS ET 200SP IM 155-6 PN HF TX RAIL≥ 4.2.0No fix (EOL)
SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants)< 1.31.3
SIMATIC ET 200SP IM 155-6 PN R1< 6.0.16.0.1
SIMATIC ET 200SP IM 155-6 PN/3 HF< 4.2.24.2.2
SIMATIC PN/PN Coupler< 6.0.06.0.0
Remediation & Mitigation
0/7
Do now
0/1HARDENINGFor devices without available fixes, implement network segmentation and firewall rules to restrict Profinet (port 102) access to only authorized engineering workstations and control systems
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants)
HOTFIXUpdate SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants) to version 1.3 or later
SIMATIC ET 200SP IM 155-6 PN R1
HOTFIXUpdate SIMATIC ET 200SP IM 155-6 PN R1 to version 6.0.1 or later
SIMATIC ET 200SP IM 155-6 PN/3 HF
HOTFIXUpdate SIMATIC ET 200SP IM 155-6 PN/3 HF to version 4.2.2 or later
SIMATIC PN/PN Coupler
HOTFIXUpdate SIMATIC PN/PN Coupler to version 6.0.0 or later
SIPLUS NET PN/PN Coupler
HOTFIXUpdate SIPLUS NET PN/PN Coupler to version 6.0.0 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SIMATIC ET 200AL IM 157-1 PN, SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL, SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL, SIPLUS ET 200SP IM 155-6 PN HF TX RAIL, SIMATIC ET 200MP IM 155-5 PN HF, SIMATIC ET 200SP IM 155-6 MF HF, SIMATIC ET 200SP IM 155-6 PN/2 HF, SIMATIC PN/MF Coupler, SIPLUS ET 200MP IM 155-5 PN HF, SIPLUS ET 200SP IM 155-6 PN HF. Apply the following compensating controls:
HARDENINGMonitor Siemens for future fix versions for ET 200AL IM 157-1 PN, ET 200MP IM 155-5 PN HF, ET 200SP IM 155-6 MF HF, ET 200SP IM 155-6 PN/2 HF, PN/MF Coupler, and SIPLUS variants without fixes
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/10744598-0d23-4e27-a03d-731b38b98790