Siemens has republished a security advisory warning that a pair of integer overflow vulnerabilities in the IPsec implementation embedded in its industrial networking products could allow a remote attacker to trigger denial-of-service (DoS) conditions, potentially knocking production networks offline. The flaws, tracked as CVE-2021-41990 and CVE-2021-41991 and rated 7.5 on the CVSS scale, impact dozens of SIMATIC, SCALANCE, RUGGEDCOM and SINEMA devices that form the backbone of many factory and utility communications.
What Changed: The Vulnerabilities at a Glance
The bugs reside in strongSwan, an open-source IPsec VPN package that Siemens bundles into the firmware of many OT networking modules. Both were fixed upstream in strongSwan version 5.9.4, released in 2021, but patches for the Siemens hardware have been rolling out gradually through firmware updates.
CVE-2021-41990 is a remote integer overflow in the gmp plugin when processing a crafted certificate with an RSASSA-PSS signature. An attacker can send a specially formed certificate—even a self-signed CA certificate—during the IPsec handshake and crash the service. Siemens’ advisory says remote code execution is not possible from this vector.
CVE-2021-41991 stems from incorrect handling of the in-memory certificate cache. When an attacker bombards the device with many connection requests, each bearing a different certificate, the cache fills and triggers a replacement algorithm that can wrap a counter, leading to memory corruption or service termination. While the primary impact is DoS, the advisory warns that remote code execution “cannot be excluded completely,” though exploiting it would require precise control over dereferenced memory, making it very unlikely.
Both flaws are remotely exploitable without authentication and have low attack complexity, earning them a CVSS base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)—a high severity rating driven entirely by the availability impact.
Affected Products and Required Firmware Versions
The advisory lists more than 30 distinct SKUs. Here is a condensed view of the main product families and the firmware thresholds that close the vulnerabilities:
| Product Family | Affected Models (Examples) | Fixed Firmware |
|---|---|---|
| SCALANCE M-800 series (M804PB, M812, M816, M826, M874, M876, MUM853, MUM856) | 6GK5804-0AP00-2AA2, many others | V7.1 or later |
| RUGGEDCOM RM1224 LTE | 6GK6108-4AM00-2BA2 (EU), -2DA2 (NAM) | V7.1 or later |
| SCALANCE S615 | 6GK5615-0AA00-2AA2 | V7.1 or later |
| SIMATIC CP 1242-7 V2, CP 1243-1, CP 1243-7, CP 1243-8 | 6GK7242-7KX31-0XE0, etc. | V3.3.46 or later |
| SIMATIC CP 1542SP-1, CP 1543-1, CP 1543SP-1 | 6GK7542-6UX00-0XE0, etc. | V2.2.28 or later |
| SIMATIC CP 1545-1 | 6GK7545-1GX00-0XE0 | V1.1 or later |
| SINEMA Remote Connect Server | – | V3.1 or later |
| SCALANCE SC6xx (SC622-2C, SC632-2C, SC636-2C, SC642-2C, SC646-2C) | 6GK5622-2GS00-2AC2, etc. | V2.3 or later |
| SIPLUS variants of the above SIMATIC CP modules | Various | Same as corresponding SIMATIC CP |
Note that not all CVEs apply equally to every model. The advisory shows that CVE-2021-41991 affects the entire list, while CVE-2021-41990 applies to devices running the IPsec stack, which is most of them. Check your exact part number against the full advisory (SSA-539476) published by Siemens ProductCERT.
What’s at Stake for Your Operations
For plant operators, system integrators, and IT/OT teams, a successful DoS attack against these devices can have immediate operational consequences. Many of the affected products act as industrial routers, protocol converters, remote access servers, or cellular gateways that connect production cells to centralised SCADA systems. If an attacker crashes one, telemetry stops flowing, remote diagnostics go dark, and manual intervention may be required—potentially leading to safety incidents or costly production downtime.
The risk is highest for devices that are directly reachable from the internet—for example, an LTE router in a remote pumping station. But internal attackers or malware that pivots from the corporate network can also hit vulnerable IPsec endpoints behind firewalls if network segmentation is weak.
While the advisory emphasises that remote code execution is not expected for CVE-2021-41990 and is very unlikely for CVE-2021-41991, DoS alone is serious in OT. A denial of service can disable safety interlocks, freeze operator HMIs, or force a process into a safe-state shutdown. Moreover, as exploitation techniques evolve, a bug that today only crashes a process could later be chained with another to achieve deeper compromise. The advisory’s own language—“remote code execution cannot be excluded completely”—keeps that door slightly open.
How We Got Here
The timeline tells a familiar story. strongSwan patched the underlying code in version 5.9.4 back in 2021. Siemens incorporated those fixes into its own firmware builds and began issuing bulletins shortly after. Yet as is common in industrial environments, many operators have not yet applied the patches, often because the devices are remote, hard to take offline, or managed by third-party service contracts that move slowly.
CISA’s republication of the advisory this September (ICSA-25-259-03) is a reminder that these vulnerabilities remain dangerous in the real world. The agency also used the bulletin to reiterate an important policy shift: since January 10, 2023, CISA no longer updates Siemens product advisories beyond the initial notification. That means organisations that relied on CISA’s ICS advisory feeds for ongoing Siemens updates are out of date. The only authoritative source for current fixes and any future revision to the impact assessment is Siemens’ own ProductCERT, specifically security advisory SSA-539476.
What to Do Now: Patching, Workarounds, and Monitoring
Operators should treat this advisory as a time-sensitive operational matter. Below is a prioritised list of actions, moving from immediate risk reduction to longer-term resilience.
1. inventory your devices immediately
Match your asset inventory against the list of affected SKUs in the advisory. Record the current firmware version of every in-scope device. The full SKU list is long; if you lack a solid inventory, prioritise devices that terminate IPsec VPNs or are used as remote-access gateways.
2. restrict network exposure
While you plan firmware updates, apply strict firewall rules to prevent any vulnerable device from accepting IPsec connections from untrusted sources. If the device does not need to be reachable from the internet, remove public-facing NAT rules or place it behind a VPN gateway you control. Segment OT network segments so that even an internal compromise cannot easily reach the vulnerable IPsec endpoints.
3. apply workarounds where patches can’t be deployed immediately
For SIMATIC CP families (CP 1242-7 V2, CP 1243-1, CP 1243-7, CP 1243-8, CP 1545-1, and their SIPLUS variants), the advisory recommends deploying only certificates that were created with TIA Portal. This reduces the attack surface by limiting the certificates the device will process during IPsec negotiation. Enable the workaround as soon as possible if you rely on these modules.
For other devices, ensure that IPsec peers are restricted to known, trusted endpoints, and consider using certificate-based mutual authentication with your own internal PKI, keeping certificate lifetimes short.
4. schedule and test firmware updates
Plan a phased rollout:
- Start with the most exposed devices (internet-facing or directly connecting remote field sites).
- Test the firmware in a lab or staging environment that mirrors your production setup. Verify that IPsec tunnels re-establish, telemetry resumes, and management tools still work as expected.
- For SCALANCE M-800, RUGGEDCOM RM1224, and SCALANCE S615, update to V7.1 or later.
- For SIMATIC CP 1542SP-1 variants, update to V2.2.28 or later; for CP 1242-7 V2 and CP 1243-1 families, to V3.3.46; for CP 1545-1, to V1.1.
- SINEMA Remote Connect Server should be brought to V3.1 or later.
- SCALANCE SC6xx models require V2.3 or later.
Aim to complete critical patches within 30–60 days, with a hard deadline of 90 days for lower-risk indoor devices.
5. enhance detection and monitoring
Deploy network monitoring rules that alert on:
- A sudden spike in IPsec handshake attempts from a single source IP.
- Repeated certificate exchanges involving unique certificates over a short time window.
- Unexpected restarts or process crashes of the IPsec daemon on affected devices.
Integrate these alerts into your SOC workflow so that an attempted DoS attack triggers an immediate containment playbook.
Outlook: What to Watch Next
Siemens’ ProductCERT will remain the sole source for any future updates to this advisory—such as a discovery of active exploitation or a revised impact analysis that elevates the risk of remote code execution. Bookmark the SSA-539476 page and subscribe to the CERT Services feed. Organisations that treat this as a one-time patch event risk missing critical follow-ups.
More broadly, the advisory underscores a persistent truth in OT security: vulnerabilities in shared, open-source components (like strongSwan) ripple across many vendors’ product lines, and the long tail of unpatched devices can linger for years. Robust vulnerability management—built on accurate asset inventories, automated firmware tracking, and well-rehearsed patching procedures—is the only durable defence.