Denial of service Vulnerability in Interniche IP-Stack based Industrial Devices
Plan Patch7.5SSA-915282Dec 9, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple Siemens industrial products using the Interniche IP-Stack contain a vulnerability in TCP sequence number validation. The affected products do not properly enforce TCP sequence number validation in specific scenarios but accept values within a broad range. This allows an unauthenticated remote attacker to inject spoofed IP packets at precisely timed moments to interfere with TCP connection setup, potentially leading to denial of service. The attack affects only TCP-based services and requires specific network timing conditions.
What this means
What could happen
An attacker on your network could disrupt TCP connections to PLCs, gateways, and IO modules, causing temporary loss of communication with control devices and process downtime until the connection recovers or is manually restarted.
Who's at risk
Energy, manufacturing, and transportation sectors using Siemens industrial control systems. Affected devices include S7-200 SMART, S7-300, S7-400, S7-1200, S7-1500 CPUs (programmable logic controllers), ET 200 IO modules (remote terminal units for distributed control), TDC process controllers, SINUMERIK CNC systems, SIMOCODE motor management systems, and SIWAREX weighing modules. Any facility relying on these controllers for process automation, power distribution, or industrial motion control is affected.
How it could be exploited
An attacker must be able to inject IP packets with spoofed source addresses into your network (requiring network-level access or compromised device on the same network segment). The attacker sends specially crafted TCP packets at precise timing moments during connection establishment to interfere with the TCP handshake, causing the connection to fail or reset.
Prerequisites
- Network-level access to inject or intercept packets on the same network segment as affected devices
- Ability to spoof source IP addresses
- Timing knowledge of TCP connection attempts (attacker must inject packets during active connection setup)
Remotely exploitableNo authentication requiredLow complexity attackAffects large installed base of legacy and current-generation PLCsMost affected products have no patch available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (145)
45 with fix100 pending
ProductAffected VersionsFix Status
SIMATIC S7-200 SMART CPU ST20All versionsNo fix yet
SIMATIC S7-200 SMART CPU ST30All versionsNo fix yet
SIMATIC S7-200 SMART CPU ST40All versionsNo fix yet
SIMATIC S7-200 SMART CPU ST60All versionsNo fix yet
SIMATIC S7-300 CPU 314C-2 PN/DPAll versionsNo fix yet
Remediation & Mitigation
Update to V1.3 or later version Update to V10.2 or later version Update to V2.0.0 or later version Update to V4.4.0 or later version Update to V6.0.0 or later version
CVEs (1)
โโ Navigate ยท Esc Close
API:
/api/v1/advisories/b197cbb7-b0fd-47a7-86bb-7aa1005a645d