Siemens SIPLUS ET 200SP CPU 1 TCP Sequence Number verification of source
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.5 | $5k-$25k | 0.00 |
Summary
A vulnerability has been found in Siemens SIDOOR ATD430W, SIDOOR ATE530G COATED, SIDOOR ATE530S COATED, SIMATIC CFU DIQ, SIMATIC CFU PA, SIMATIC ET 200AL IM 157-1 PN, SIMATIC ET 200clean, CM 8x IO-Link, DI 16x24VDC, DIQ 16x24VDC, 0, 5A, SIMATIC ET 200eco PN, AI 8xRTD, TC, M12-L, CM 4x IO-Link, DI 8x24VDC, 2A, DQ 8x24VDC, SIMATIC ET 200MP IM 155-5 PN HF, SIMATIC ET 200pro IM 154-8 PN, DP CPU, SIMATIC ET 200pro IM 154-8F PN, SIMATIC ET 200pro IM 154-8FX PN, SIMATIC ET 200S IM 151-8 PN, SIMATIC ET 200S IM 151-8F PN, SIMATIC ET 200SP CPU 1510SP F-1 PN, SIMATIC ET 200SP CPU 1510SP-1 PN, SIMATIC ET 200SP CPU 1512SP F-1 PN, SIMATIC ET 200SP CPU 1512SP-1 PN, SIMATIC ET 200SP IM 155-6 MF HF, SIMATIC ET 200SP IM 155-6 PN HA, SIMATIC ET 200SP IM 155-6 PN HF, SIMATIC ET 200SP IM 155-6 PN, 2 HF, 3 HF, SIMATIC PN, MF Coupler, PN Coupler, SIMATIC Power Line Booster PLB, Base Module, Modem Module ST, SIMATIC S7-1200 CPU 1211C AC, DC, Rly, SIMATIC S7-1200 CPU 1211C DC, SIMATIC S7-1200 CPU 1212C AC, SIMATIC S7-1200 CPU 1212C DC, SIMATIC S7-1200 CPU 1212FC DC, SIMATIC S7-1200 CPU 1214C AC, SIMATIC S7-1200 CPU 1214C DC, SIMATIC S7-1200 CPU 1214FC DC, SIMATIC S7-1200 CPU 1215C AC, SIMATIC S7-1200 CPU 1215C DC, SIMATIC S7-1200 CPU 1215FC DC, SIMATIC S7-1200 CPU 1217C DC, SIMATIC S7-1500 CPU 1511-1 PN, SIMATIC S7-1500 CPU 1511F-1 PN, SIMATIC S7-1500 CPU 1513-1 PN, SIMATIC S7-1500 CPU 1513F-1 PN, SIMATIC S7-1500 CPU 1515-2 PN, SIMATIC S7-1500 CPU 1515F-2 PN, SIMATIC S7-1500 CPU 1516-3 PN, DP, SIMATIC S7-1500 CPU 1516F-3 PN, SIMATIC S7-200 SMART CPU CR40, SIMATIC S7-200 SMART CPU CR60, SIMATIC S7-200 SMART CPU SR20, SIMATIC S7-200 SMART CPU SR30, SIMATIC S7-200 SMART CPU SR40, SIMATIC S7-200 SMART CPU SR60, SIMATIC S7-200 SMART CPU ST20, SIMATIC S7-200 SMART CPU ST30, SIMATIC S7-200 SMART CPU ST40, SIMATIC S7-200 SMART CPU ST60, SIMATIC S7-300 CPU 314C-2 PN, SIMATIC S7-300 CPU 315-2 PN, SIMATIC S7-300 CPU 315F-2 PN, SIMATIC S7-300 CPU 315T-3 PN, SIMATIC S7-300 CPU 317-2 PN, SIMATIC S7-300 CPU 317F-2 PN, SIMATIC S7-300 CPU 317T-3 PN, SIMATIC S7-300 CPU 317TF-3 PN, SIMATIC S7-300 CPU 319-3 PN, SIMATIC S7-300 CPU 319F-3 PN, SIMATIC S7-400 CPU 412-2 PN V7, SIMATIC S7-400 CPU 414-3 PN, DP V7, SIMATIC S7-400 CPU 414F-3 PN, SIMATIC S7-400 CPU 416-3 PN, SIMATIC S7-400 CPU 416F-3 PN, SIMATIC S7-400 H V6 CPU family, SIMATIC S7-410 V10 CPU family, SIMATIC S7-410 V8 CPU family, SIMATIC TDC CP51M1, SIMATIC TDC CPU555, SIMOCODE pro V Ethernet, IP and SIMOCODE pro V PROFINET and classified as critical. The affected element is an unknown function of the component TCP Sequence Number Handler. Performing a manipulation results in verification of source. This vulnerability is identified as CVE-2025-40820. The attack can be initiated remotely. There is not any exploit available.
Details
A vulnerability was found in Siemens SIDOOR ATD430W, SIDOOR ATE530G COATED, SIDOOR ATE530S COATED, SIMATIC CFU DIQ, SIMATIC CFU PA, SIMATIC ET 200AL IM 157-1 PN, SIMATIC ET 200clean, CM 8x IO-Link, DI 16x24VDC, DIQ 16x24VDC, 0, 5A, SIMATIC ET 200eco PN, AI 8xRTD, TC, M12-L, CM 4x IO-Link, DI 8x24VDC, 2A, DQ 8x24VDC, SIMATIC ET 200MP IM 155-5 PN HF, SIMATIC ET 200pro IM 154-8 PN, DP CPU, SIMATIC ET 200pro IM 154-8F PN, SIMATIC ET 200pro IM 154-8FX PN, SIMATIC ET 200S IM 151-8 PN, SIMATIC ET 200S IM 151-8F PN, SIMATIC ET 200SP CPU 1510SP F-1 PN, SIMATIC ET 200SP CPU 1510SP-1 PN, SIMATIC ET 200SP CPU 1512SP F-1 PN, SIMATIC ET 200SP CPU 1512SP-1 PN, SIMATIC ET 200SP IM 155-6 MF HF, SIMATIC ET 200SP IM 155-6 PN HA, SIMATIC ET 200SP IM 155-6 PN HF, SIMATIC ET 200SP IM 155-6 PN, 2 HF, 3 HF, SIMATIC PN, MF Coupler, PN Coupler, SIMATIC Power Line Booster PLB, Base Module, Modem Module ST, SIMATIC S7-1200 CPU 1211C AC, DC, Rly, SIMATIC S7-1200 CPU 1211C DC, SIMATIC S7-1200 CPU 1212C AC, SIMATIC S7-1200 CPU 1212C DC, SIMATIC S7-1200 CPU 1212FC DC, SIMATIC S7-1200 CPU 1214C AC, SIMATIC S7-1200 CPU 1214C DC, SIMATIC S7-1200 CPU 1214FC DC, SIMATIC S7-1200 CPU 1215C AC, SIMATIC S7-1200 CPU 1215C DC, SIMATIC S7-1200 CPU 1215FC DC, SIMATIC S7-1200 CPU 1217C DC, SIMATIC S7-1500 CPU 1511-1 PN, SIMATIC S7-1500 CPU 1511F-1 PN, SIMATIC S7-1500 CPU 1513-1 PN, SIMATIC S7-1500 CPU 1513F-1 PN, SIMATIC S7-1500 CPU 1515-2 PN, SIMATIC S7-1500 CPU 1515F-2 PN, SIMATIC S7-1500 CPU 1516-3 PN, DP, SIMATIC S7-1500 CPU 1516F-3 PN, SIMATIC S7-200 SMART CPU CR40, SIMATIC S7-200 SMART CPU CR60, SIMATIC S7-200 SMART CPU SR20, SIMATIC S7-200 SMART CPU SR30, SIMATIC S7-200 SMART CPU SR40, SIMATIC S7-200 SMART CPU SR60, SIMATIC S7-200 SMART CPU ST20, SIMATIC S7-200 SMART CPU ST30, SIMATIC S7-200 SMART CPU ST40, SIMATIC S7-200 SMART CPU ST60, SIMATIC S7-300 CPU 314C-2 PN, SIMATIC S7-300 CPU 315-2 PN, SIMATIC S7-300 CPU 315F-2 PN, SIMATIC S7-300 CPU 315T-3 PN, SIMATIC S7-300 CPU 317-2 PN, SIMATIC S7-300 CPU 317F-2 PN, SIMATIC S7-300 CPU 317T-3 PN, SIMATIC S7-300 CPU 317TF-3 PN, SIMATIC S7-300 CPU 319-3 PN, SIMATIC S7-300 CPU 319F-3 PN, SIMATIC S7-400 CPU 412-2 PN V7, SIMATIC S7-400 CPU 414-3 PN, DP V7, SIMATIC S7-400 CPU 414F-3 PN, SIMATIC S7-400 CPU 416-3 PN, SIMATIC S7-400 CPU 416F-3 PN, SIMATIC S7-400 H V6 CPU family, SIMATIC S7-410 V10 CPU family, SIMATIC S7-410 V8 CPU family, SIMATIC TDC CP51M1, SIMATIC TDC CPU555, SIMOCODE pro V Ethernet, IP and SIMOCODE pro V PROFINET. It has been classified as critical. This affects an unknown part of the component TCP Sequence Number Handler. The manipulation with an unknown input leads to a verification of source vulnerability. CWE is classifying the issue as CWE-940. The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. This is going to have an impact on availability. The summary by CVE is:
Affected products do not properly enforce TCP sequence number validation in specific scenarios but accept values within a broad range. This could allow an unauthenticated remote attacker e.g. to interfere with connection setup, potentially leading to a denial of service. The attack succeeds only if an attacker can inject IP packets with spoofed addresses at precisely timed moments, and it affects only TCP-based services.
The advisory is shared at cert-portal.siemens.com. This vulnerability is uniquely identified as CVE-2025-40820 since 04/16/2025. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 12/09/2025).
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-201923). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
- 0
- 2 HF
- 2A
- 3 HF
- 5A
- AI 8xRTD
- Base Module
- CM 4x IO-Link
- CM 8x IO-Link
- DC
- DI 8x24VDC
- DI 16x24VDC
- DIQ 16x24VDC
- DP
- DP CPU
- DP V7
- DQ 8x24VDC
- IP
- M12-L
- MF Coupler
- Modem Module ST
- PN Coupler
- Rly
- SIDOOR ATD430W
- SIDOOR ATE530G COATED
- SIDOOR ATE530S COATED
- SIMATIC CFU DIQ
- SIMATIC CFU PA
- SIMATIC ET 200AL IM 157-1 PN
- SIMATIC ET 200clean
- SIMATIC ET 200eco PN
- SIMATIC ET 200MP IM 155-5 PN HF
- SIMATIC ET 200pro IM 154-8 PN
- SIMATIC ET 200pro IM 154-8F PN
- SIMATIC ET 200pro IM 154-8FX PN
- SIMATIC ET 200S IM 151-8 PN
- SIMATIC ET 200S IM 151-8F PN
- SIMATIC ET 200SP CPU 1510SP-1 PN
- SIMATIC ET 200SP CPU 1510SP F-1 PN
- SIMATIC ET 200SP CPU 1512SP-1 PN
- SIMATIC ET 200SP CPU 1512SP F-1 PN
- SIMATIC ET 200SP IM 155-6 MF HF
- SIMATIC ET 200SP IM 155-6 PN
- SIMATIC ET 200SP IM 155-6 PN HA
- SIMATIC ET 200SP IM 155-6 PN HF
- SIMATIC PN
- SIMATIC Power Line Booster PLB
- SIMATIC S7-200 SMART CPU CR40
- SIMATIC S7-200 SMART CPU CR60
- SIMATIC S7-200 SMART CPU SR20
- SIMATIC S7-200 SMART CPU SR30
- SIMATIC S7-200 SMART CPU SR40
- SIMATIC S7-200 SMART CPU SR60
- SIMATIC S7-200 SMART CPU ST20
- SIMATIC S7-200 SMART CPU ST30
- SIMATIC S7-200 SMART CPU ST40
- SIMATIC S7-200 SMART CPU ST60
- SIMATIC S7-300 CPU 314C-2 PN
- SIMATIC S7-300 CPU 315-2 PN
- SIMATIC S7-300 CPU 315F-2 PN
- SIMATIC S7-300 CPU 315T-3 PN
- SIMATIC S7-300 CPU 317-2 PN
- SIMATIC S7-300 CPU 317F-2 PN
- SIMATIC S7-300 CPU 317T-3 PN
- SIMATIC S7-300 CPU 317TF-3 PN
- SIMATIC S7-300 CPU 319-3 PN
- SIMATIC S7-300 CPU 319F-3 PN
- SIMATIC S7-400 CPU 412-2 PN V7
- SIMATIC S7-400 CPU 414-3 PN
- SIMATIC S7-400 CPU 414F-3 PN
- SIMATIC S7-400 CPU 416-3 PN
- SIMATIC S7-400 CPU 416F-3 PN
- SIMATIC S7-400 H V6 CPU family
- SIMATIC S7-410 V8 CPU family
- SIMATIC S7-410 V10 CPU family
- SIMATIC S7-1200 CPU 1211C AC
- SIMATIC S7-1200 CPU 1211C DC
- SIMATIC S7-1200 CPU 1212C AC
- SIMATIC S7-1200 CPU 1212C DC
- SIMATIC S7-1200 CPU 1212FC DC
- SIMATIC S7-1200 CPU 1214C AC
- SIMATIC S7-1200 CPU 1214C DC
- SIMATIC S7-1200 CPU 1214FC DC
- SIMATIC S7-1200 CPU 1215C AC
- SIMATIC S7-1200 CPU 1215C DC
- SIMATIC S7-1200 CPU 1215FC DC
- SIMATIC S7-1200 CPU 1217C DC
- SIMATIC S7-1500 CPU 1511-1 PN
- SIMATIC S7-1500 CPU 1511F-1 PN
- SIMATIC S7-1500 CPU 1513-1 PN
- SIMATIC S7-1500 CPU 1513F-1 PN
- SIMATIC S7-1500 CPU 1515-2 PN
- SIMATIC S7-1500 CPU 1515F-2 PN
- SIMATIC S7-1500 CPU 1516-3 PN
- SIMATIC S7-1500 CPU 1516F-3 PN
- SIMATIC TDC CP51M1
- SIMATIC TDC CPU555
- SIMOCODE pro V Ethernet
- SIMOCODE pro V PROFINET
- SINUMERIK 840D sl
- SIPLUS ET 200MP IM 155-5 PN HF
- SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL
- SIPLUS ET 200S IM 151-8 PN
- SIPLUS ET 200S IM 151-8F PN
- SIPLUS ET 200SP CPU 1
- TC
License
Website
- Vendor: https://www.siemens.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CNA CVSS-B Score: 🔒
CNA CVSS-BT Score: 🔒
CNA Vector: 🔒
CVSSv3
VulDB Meta Base Score: 7.5VulDB Meta Temp Score: 7.5
VulDB Base Score: 7.5
VulDB Temp Score: 7.5
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 7.5
CNA Vector (siemens): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Verification of sourceCWE: CWE-940
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔒
Timeline
04/16/2025 CVE reserved12/09/2025 Advisory disclosed
12/09/2025 VulDB entry created
12/09/2025 VulDB entry last update
Sources
Vendor: siemens.comAdvisory: ssa-915282
Status: Confirmed
CVE: CVE-2025-40820 (🔒)
GCVE (CVE): GCVE-0-2025-40820
GCVE (VulDB): GCVE-100-335121
EUVD: 🔒
Entry
Created: 12/09/2025 12:12Updated: 12/09/2025 16:20
Changes: 12/09/2025 12:12 (74), 12/09/2025 16:20 (1)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.