High

TCP Sequence Number Validation Bypass in Siemens Interniche IP-Stack

IdentifiersCVE-2025-40820CWE-940· Improper Verification of Source of…

CVE-2025-40820 is a high-severity flaw in the Siemens Interniche IP-Stack used by multiple Siemens industrial products. The issue stems from improper enforcement of TCP sequence number validation in specific scenarios, where the stack accepts sequence numbers within an overly broad range instead of strictly validating them. This weakness can allow an unauthenticated remote attacker to inject spoofed IP packets and interfere with TCP connection setup. The vulnerability affects TCP-based services and can be exploited without authentication, but successful exploitation requires the attacker to send spoofed packets at precisely timed moments during the TCP exchange. The primary consequence described in the available advisories is disruption of connection establishment leading to denial of service.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an unauthenticated remote attacker to disrupt TCP connection establishment for affected TCP-based services, resulting in denial of service. Available information indicates no direct confidentiality or integrity impact, but availability impact is high because the attacker may interfere with communications relied upon by affected Siemens industrial devices and services.

Mitigation

If you can’t patch tonight, do this now.

Where patching is not immediately possible, reduce exposure of affected devices and TCP-based services to untrusted networks. Siemens and CISA recommend minimizing network exposure, isolating control system networks, and applying defense-in-depth controls. Limit TCP accessibility to trusted IP addresses where possible, use network segmentation, and require secure remote access methods such as VPNs rather than direct Internet exposure. Additional mitigations mentioned in the supporting content include filtering or blocking spoofed IP packets, monitoring for anomalous network traffic, and in some Siemens deployments disabling Ethernet ports on the CPU and using communication modules where applicable.

Remediation

Patch, then assume compromise.

Apply Siemens vendor updates for affected products where fixes are available. Siemens has released new versions for several affected products and is preparing additional fixes for others. For products that remain supported, organizations should follow the Siemens ProductCERT advisory and upgrade to the recommended fixed versions. For legacy or unsupported products where no fix is planned, remediation is currently not available from the vendor.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

cvefeed high severityNews

Dec 9, 2025

CVE-2025-40820 - Apache TCP Sequence Number Validation Bypass

A TCP sequence number validation bypass in affected products that can enable an unauthenticated remote attacker (with the ability to inject precisely timed spoofed IP packets) to interfere with TCP connection setup, potentially causing denial of service for TCP-based services.

cert ssi scadaNews

Dec 11, 2025

Multiples vulnérabilités dans les produits Siemens

A vulnerability in multiple Siemens industrial products that will not be patched in many affected models. The flaw can lead to remote code execution, denial of service, or data confidentiality compromise.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6