Denial of Service of ICMP in Industrial Devices
Monitor5.3SSA-725549Apr 8, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the integrated ICMP services within the TCP/IP stack of multiple Siemens industrial automation products allows remote attackers to cause a temporary denial of service. An attacker can send specially crafted ICMP packets to an affected device, disabling ICMP services for a limited time. ICMP services restore automatically after the attack ceases. Other communication services and operational functions remain unaffected. Siemens has released firmware updates for select products (SIMATIC S7-1200, S7-410, CFU, ET 200SP IM 155-6 PN HA, and PN/PN Coupler). A majority of affected products, including S7-300, S7-400, S7-1500, and many ET 200 variants, do not have patches available.
What this means
What could happen
An attacker can send specially crafted ICMP packets to temporarily disable ICMP services on affected Siemens devices, causing them to stop responding to ping or ICMP-based monitoring tools. Other network services remain operational, but the loss of ICMP availability may degrade network diagnostics and device accessibility.
Who's at risk
This advisory affects industrial automation operators in energy, manufacturing, and transportation sectors who rely on Siemens automation products. Specifically: operators of SIMATIC S7 PLCs (S7-300, S7-400, S7-1200, S7-1500 series), ET 200 distributed I/O modules, SIDOOR safety door controllers, SINUMERIK machine controllers, and weighing systems (SIWAREX). Any facility using these controllers for process automation, machine control, or safety interlock logic should assess their exposure.
How it could be exploited
An attacker with network access to an affected device sends a specially crafted ICMP packet. The device's underlying TCP/IP stack processes the packet incorrectly, disabling ICMP services for a limited time. ICMP services automatically restore themselves after the attack stops.
Prerequisites
- Network-level access to the affected device
- Ability to send ICMP packets to the device
- No authentication required
remotely exploitableno authentication requiredlow complexityaffects majority of S7 and ET 200 product linesmajority of affected products have no patch available
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (138)
42 with fix96 pending
ProductAffected VersionsFix Status
SIDOOR ATD430WAll versionsNo fix yet
SIDOOR ATE530G COATEDAll versionsNo fix yet
SIDOOR ATE530S COATEDAll versionsNo fix yet
SIMATIC CFU DIQ< V2.0.02.0.0
SIMATIC CFU PA< V2.0.02.0.0
Remediation & Mitigation
0/11
Schedule — requires maintenance window
0/9Patching may require device reboot — plan for process interruption
SIMATIC CFU DIQ
HOTFIXUpdate SIMATIC CFU DIQ to firmware version 2.0.0 or later
SIMATIC CFU PA
HOTFIXUpdate SIMATIC CFU PA to firmware version 2.0 or later
SIMATIC PN/PN Coupler
HOTFIXUpdate SIMATIC PN/PN Coupler to firmware version 6.0.0 or later
SIPLUS NET PN/PN Coupler
HOTFIXUpdate SIPLUS NET PN/PN Coupler to firmware version 6.0.0 or later
All products
HOTFIXUpdate SIMATIC ET 200SP IM 155-6 PN HA to firmware version 1.3 or later
HOTFIXUpdate SIMATIC S7-410 V8 CPU family to firmware version 8.3 or later
HOTFIXUpdate SIMATIC S7-410 V10 CPU family to firmware version 10.2 or later
HOTFIXUpdate SIMATIC S7-1200 CPU series to firmware version 4.4 or later
HOTFIXUpdate SIPLUS S7-1200 CPU series to firmware version 4.4 or later
Long-term hardening
0/2HARDENINGImplement network-level ICMP filtering or rate-limiting on switches/firewalls to reduce the impact of ICMP-based attacks on devices without available patches
HARDENINGIsolate affected devices without available patches on separate network segments and restrict ICMP traffic to only authorized monitoring sources
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/43fd1e97-07e7-417e-bbee-60f9b6e7da1c