CVE-2025-40555 in APOGEE PXC+TALON TC
Summary
by MITRE • 05/13/2025
A vulnerability has been identified in APOGEE PXC+TALON TC Series (BACnet) (All versions). Affected devices start sending unsolicited BACnet broadcast messages after processing a specific BACnet createObject request. This could allow an attacker residing in the same BACnet network to send a specially crafted message that results in a partial denial of service condition of the targeted device, and potentially reduce the availability of BACnet network. A power cycle is required to restore the device's normal operation.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/13/2025
This vulnerability exists within the APOGEE PXC+TALON TC Series BACnet devices where a specific flaw in the protocol implementation allows for improper handling of BACnet createObject requests. The technical mechanism involves the device's failure to properly validate incoming BACnet messages during the object creation process, leading to a state where the device begins transmitting unsolicited broadcast messages. This behavior represents a classic buffer overflow or state machine error that occurs when the device processes malformed or specially crafted BACnet packets without proper input sanitization. The vulnerability maps to CWE-121, which describes buffer overflow conditions in stack-based buffers, and also aligns with CWE-122 for heap-based buffer overflows that could occur during dynamic memory allocation. From an operational perspective, this vulnerability creates a persistent denial of service condition where the affected device continuously broadcasts messages that interfere with normal BACnet network operations, potentially causing network congestion and disrupting communication between other building automation devices. The attacker's position within the same BACnet network allows for direct exploitation without requiring external network access, making this particularly dangerous in industrial control environments where network segmentation may be limited. The requirement for a power cycle to restore normal operation indicates that this is not a recoverable state but rather a device-level malfunction that requires physical intervention. This vulnerability directly impacts the availability aspect of the CIA triad by reducing network reliability and operational continuity. The BACnet protocol's inherent design for building automation systems makes this particularly concerning as it affects critical infrastructure components including heating, ventilation, air conditioning, lighting, and security systems. The attack surface is limited to devices within the same BACnet network segment, but this restriction does not mitigate the potential impact on overall system availability. According to ATT&CK framework, this vulnerability could be categorized under T1499.004 for network denial of service attacks, and potentially T1566 for initial access through network-based attacks. The attack vector requires the adversary to be positioned within the same network segment as the target device, which typically means either physical access or network compromise through other means. Mitigation strategies should include network segmentation to isolate BACnet devices, implementation of network monitoring to detect unusual broadcast traffic patterns, and regular firmware updates to address the underlying protocol handling flaw. Additionally, implementing BACnet security measures such as BACnet Security Suites or network access control lists can help prevent unauthorized devices from sending malicious requests. Device administrators should also consider implementing intrusion detection systems specifically configured to monitor BACnet traffic for anomalous behavior patterns that could indicate exploitation attempts. The vulnerability demonstrates the importance of proper input validation in industrial protocol implementations and highlights the need for robust error handling in embedded systems that operate in critical infrastructure environments. Organizations should conduct thorough network assessments to identify all affected devices and implement immediate protective measures while awaiting official patches from the vendor.