Denial of Service Vulnerability in BACnet ATEC Devices

Monitor6.5SSA-828116May 13, 2025

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

BACnet ATEC 550-series devices contain a denial of service vulnerability in MSTP message validation (CWE-20). An attacker with access to the BACnet network can send a specially crafted MSTP message that causes the device to crash. Recovery requires manual power cycle. Siemens has not released patches for affected models and recommends implementing network-level protections and security practices.

What this means

What could happen

An attacker on your BACnet network can crash ATEC devices by sending a specially crafted message, forcing a power cycle to restore operation. This could interrupt HVAC control or other building automation functions tied to these devices.

Who's at risk

Energy sector operators and building managers who rely on Siemens BACnet ATEC 550-series devices for HVAC, climate control, or other automated building systems should evaluate their network architecture. Risk is highest if ATEC devices are on a shared or wireless BACnet network accessible from untrusted segments.

How it could be exploited

An attacker with access to the BACnet network (wired or wireless) sends a malformed MSTP (Master-Slave/Token-Passing) message to an ATEC device. The device fails to validate the message properly, crashes, and requires manual power cycle to recover.

Prerequisites

Attacker must be on the same BACnet network as the target device (Layer 2 access—wired or wireless)
No credentials or authentication required
Device must be operational to receive the malicious MSTP message

remotely exploitable (from same BACnet network)no authentication requiredlow complexityno patch availableaffects availability of building automation systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

BACnet ATEC 550-440All versionsNo fix (EOL)

BACnet ATEC 550-441All versionsNo fix (EOL)

BACnet ATEC 550-445All versionsNo fix (EOL)

BACnet ATEC 550-446All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDEnsure all ATEC devices are behind a firewall or gateway that filters invalid MSTP frames before they reach the device

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGDocument the crash behavior and establish a rapid power-cycle recovery procedure to minimize downtime if a device is exploited

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: BACnet ATEC 550-440, BACnet ATEC 550-441, BACnet ATEC 550-445, BACnet ATEC 550-446. Apply the following compensating controls:

HARDENINGRestrict BACnet network access using network segmentation—isolate ATEC devices on a separate VLAN and control traffic with access control lists

HARDENINGMonitor BACnet MSTP traffic for unusual or malformed messages that could indicate exploitation attempts

CVEs (1)

CVE-2025-40556

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/09e0c0f2-255e-4a6e-86a9-888fd3a14ec1