CVE-2025-40944 in SIMATIC ET 200AL IM 157-1 PN
Summary
by MITRE • 01/13/2026
A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants) (All versions = V4.2.0), SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0) (All versions = V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-7AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL (6AG2155-5AA00-1AC0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-2CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-7CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU01-1CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF TX RAIL (6AG2155-6AU01-4CN0) (All versions >= V4.2.0), SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0) (All versions < V6.0.0). Affected devices do not properly handle S7 protocol session disconnect requests. When receiving a valid S7 protocol Disconnect Request (COTP DR TPDU) on TCP port 102, the devices enter an improper session state.
This could allow an attacker to cause the device to become unresponsive, leading to a denial-of-service condition that requires a power cycle to restore normal operation.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/13/2026
The vulnerability identified as CVE-2025-40944 affects a range of Siemens industrial communication modules including various IM 157-1 PN, IM 155-5 PN HF, and IM 155-6 PN variants across ET 200AL, ET 200MP, and ET 200SP series. These devices operate within critical industrial environments where reliability and continuous operation are paramount. The affected modules are designed to handle S7 protocol communications, which is fundamental to Siemens' industrial automation systems and the broader industrial control systems ecosystem. The vulnerability specifically resides in the handling of S7 protocol session disconnect requests, representing a significant weakness in the protocol implementation that could compromise operational continuity.
The technical flaw manifests when these industrial modules receive a valid S7 protocol Disconnect Request (COTP DR TPDU) on TCP port 102, which is the standard port for S7 communication in Siemens systems. The devices fail to properly manage this legitimate protocol message, resulting in an improper session state that leads to system unresponsiveness. This behavior represents a classic denial-of-service condition where the device becomes unresponsive to further communication attempts. The improper session handling stems from inadequate state management within the protocol stack, allowing a malformed or unexpected sequence of protocol messages to cause the system to enter an inconsistent state that cannot be recovered without manual intervention.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise entire industrial processes that depend on these communication modules. When an industrial device becomes unresponsive due to this vulnerability, operators must perform manual power cycling to restore functionality, which can result in extended downtime and potential production losses. In critical infrastructure environments where continuous operation is essential, this vulnerability could lead to cascading failures that affect downstream processes and systems. The requirement for power cycle recovery indicates a fundamental flaw in the device's error handling capabilities and suggests that the system lacks proper recovery mechanisms for protocol anomalies.
The vulnerability aligns with CWE-399, which addresses Resource Management Errors, and represents a specific instance of inadequate error handling within industrial communication protocols. From an ATT&CK perspective, this vulnerability maps to T1499.004, which covers Network Denial of Service, and T1566.001, covering Phishing with Social Engineering. The attack surface is particularly concerning for operational technology environments where adversaries may attempt to exploit this weakness to disrupt industrial processes. Organizations should implement network segmentation and access controls to limit exposure, while also ensuring that these devices are properly isolated from untrusted networks. The vulnerability underscores the critical need for robust protocol handling and error recovery mechanisms in industrial control systems, particularly given the increasing integration of these systems with corporate networks and the growing sophistication of cyber threats targeting operational technology environments.