CVE-2015-5374
published 2015-07-18CVE-2015-5374: A vulnerability has been identified in Firmware variant PROFINET IO for EN100 Ethernet module : All versions < V1.04.01; Firmware variant Modbus TCP for EN100…
PriorityP180high7.8CVSS 2.0
AVNACLAuNCNINAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.50%
99.4th percentile
A vulnerability has been identified in Firmware variant PROFINET IO for EN100 Ethernet module : All versions < V1.04.01; Firmware variant Modbus TCP for EN100 Ethernet module : All versions < V1.11.00; Firmware variant DNP3 TCP for EN100 Ethernet module : All versions < V1.03; Firmware variant IEC 104 for EN100 Ethernet module : All versions < V1.21; EN100 Ethernet module included in SIPROTEC Merging Unit 6MU80 : All versions < 1.02.02. Specially crafted packets sent to port 50000/UDP could cause a denial-of-service of the affected device. A manual reboot may be required to recover the service of the device.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| siemens | siprotec_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E
- →Nessus Network Monitor signature PRM #700132 (Siemens SIPROTEC DoS, SCADA) can be used to passively detect exploitation attempts for CVE-2015-5374. ↗
- →Check Point published an IPS signature providing virtual patching for the Siemens SIPROTEC DoS vulnerability (CVE-2015-5374); deploy it to block CrashOverride/Industroyer exploitation of this flaw. ↗
- ·The vulnerability affects multiple EN100 firmware variants; ensure all are accounted for when scoping detection — PROFINET IO (<V1.04.01), Modbus TCP (<V1.11.00), DNP3 TCP (<V1.03), IEC 104 (<V1.21), and SIPROTEC Merging Unit 6MU80 (<1.02.02). ↗
- ·A successful DoS attack may require a manual reboot to restore device service; automated recovery should not be assumed. ↗
- ·The exploit targets EN100 Ethernet module firmware version V4.24 or prior on SIPROTEC 4 and SIPROTEC Compact devices; V4.25 and later are not affected. ↗
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SIPROTEC Denial-of-Service Vulnerability
cisa_ics·2018-08-27
Siemens SIPROTEC Denial-of-Service Vulnerability
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SIPROTEC Denial-of-Service Vulnerability
Last RevisedAugust 27, 2018
Alert CodeICSA-15-202-01
## OVERVIEW
Siemens has identified a denial-of-service vulnerability in the SIPROTEC 4 and SIPROTEC Compact devices. This vulnerability was reported directly to Siemens by Victor Nikitin from i‑Grids LLC Russia. Siemens has produced a new firmware update to mitigate this vulnerability.
This vulnerability could be exploited remotely.
## AFFECTED PRODUCTS
Siemens reports that the vulnerability affects the following versions:
- SIPROTEC 4 and SIPROTEC Compact product families
CISA ICS
Siemens SIPROTEC 4 and SIPROTEC Compact (Update F)
cisa_ics·2018-01-04
Siemens SIPROTEC 4 and SIPROTEC Compact (Update F)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SIPROTEC 4 and SIPROTEC Compact (Update F)
Last RevisedMarch 20, 2018
Alert CodeICSA-17-187-03F
## CVSS v3 8.6
ATTENTION: Remotely exploitable/low skill level to exploit.
Vendor: Siemens
Equipment: SIPROTEC 4 and SIPROTEC Compact
Vulnerabilities: Improper Input Validation, Missing Authorization, Improper Authentication
## UPDATE INFORMATION
This updated advisory is a follow-up to the updated advisory titled ICSA-17-187-03E Siemens SIPROTEC 4 and SIPROTEC Compact that was published January 4, 2018, on the NCCIC/ICS-CERT website.
## AFFECTED PRODUCTS
Siemens reports
GHSA
GHSA-26f6-7cv9-7mh6: A vulnerability has been identified in Firmware variant PROFINET IO for EN100 Ethernet module : All versions < V1
ghsa_unreviewed·2022-05-14
CVE-2015-5374 [HIGH] GHSA-26f6-7cv9-7mh6: A vulnerability has been identified in Firmware variant PROFINET IO for EN100 Ethernet module : All versions < V1
A vulnerability has been identified in Firmware variant PROFINET IO for EN100 Ethernet module : All versions < V1.04.01; Firmware variant Modbus TCP for EN100 Ethernet module : All versions < V1.11.00; Firmware variant DNP3 TCP for EN100 Ethernet module : All versions < V1.03; Firmware variant IEC 104 for EN100 Ethernet module : All versions < V1.21; EN100 Ethernet module included in SIPROTEC Merging Unit 6MU80 : All versions < 1.02.02. Specially crafted packets sent to port 50000/UDP could cause a denial-of-service of the affected device. A manual reboot may be required to recover the service of the device.
VulnCheck
PROFINET IO for EN100 Ethernet Module Denial of Service
vulncheck·2015·CVSS 7.8
CVE-2015-5374 [HIGH] PROFINET IO for EN100 Ethernet Module Denial of Service
PROFINET IO for EN100 Ethernet Module Denial of Service
A vulnerability has been identified in Firmware variant PROFINET IO for EN100 Ethernet module : All versions < V1.04.01; Firmware variant Modbus TCP for EN100 Ethernet module : All versions < V1.11.00; Firmware variant DNP3 TCP for EN100 Ethernet module : All versions < V1.03; Firmware variant IEC 104 for EN100 Ethernet module : All versions < V1.21; EN100 Ethernet module included in SIPROTEC Merging Unit 6MU80 : All versions < 1.02.02. Specially crafted packets sent to port 50000/UDP could cause a denial-of-service of the affected device. A manual reboot may be required to recover the service of the device.
Affected: Siemens siprotec_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue
Suricata
ET EXPLOIT Win32/Industroyer DDOS Siemens SIPROTEC (CVE-2015-5374)
suricata·2017-06-12·CVSS 7.8
CVE-2015-5374 [HIGH] ET EXPLOIT Win32/Industroyer DDOS Siemens SIPROTEC (CVE-2015-5374)
ET EXPLOIT Win32/Industroyer DDOS Siemens SIPROTEC (CVE-2015-5374)
Rule: alert udp any any -> $HOME_NET 50000 (msg:"ET EXPLOIT Win32/Industroyer DDOS Siemens SIPROTEC (CVE-2015-5374)"; dsize:18; content:"|11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E|"; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-dos; sid:2024376; rev:3; metadata:attack_target Client_and_Server, created_at 2017_06_12, cve CVE_2015_5374, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_19;)
Exploit-DB
Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < 4.25 - Denial of Service
exploitdb·2018-02-16·CVSS 7.8
CVE-2015-5374 [HIGH] Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < 4.25 - Denial of Service
Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < 4.25 - Denial of Service
---
# Exploit Title: Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < V4.25 - Denial of Service
# Date: 14.02.2018
# Exploit Author: M. Can Kurnaz
# Contact: https://twitter.com/0x43414e
# Vendor Homepage: https://www.siemens.com
# Version: All devices that include the EN100 Ethernet module version V4.24 or prior.
# Tested on: Siemens SIPROTEC 4 (multiple versions < V4.25).
# CVE : CVE-2015-5374
# Vulnerability Details:
# https://www.cvedetails.com/cve/CVE-2015-5374/
# https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01
#!/usr/bin/env python
import socket
import sys
print('CVE-2015-5374 Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < V4.25 - Denial of Service')
i
Metasploit
Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module - Denial of Service
metasploit·CVSS 7.8
CVE-2015-5374 [HIGH] Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module - Denial of Service
Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module - Denial of Service
This module sends a specially crafted packet to port 50000/UDP causing a denial of service of the affected (Siemens SIPROTEC 4 and SIPROTEC Compact < V4.25) devices. A manual reboot is required to return the device to service. CVE-2015-5374 and a CVSS v2 base score of 7.8 have been assigned to this vulnerability.
arXiv
An Evidence-Driven Analysis of Threat Information Sharing Challenges for Industrial Control Systems and Future Directions
arxiv_fulltext·2026-01-27
An Evidence-Driven Analysis of Threat Information Sharing Challenges for Industrial Control Systems and Future Directions
## Abstract
The increasing cyber threats to critical infrastructure highlight the importance of private companies and government agencies in detecting and sharing information about threat activities.
Although the need for improved threat information sharing is widely recognized, various technical and organizational challenges persist, hindering effective collaboration.
In this study, we review the challenges that disturb the sharing of usable threat information to critical infrastructure operators within the ICS domain.
We analyze three major incidents: Stuxnet, Industroyer, and Triton.
In addition, we perform a systematic analysis of 196 procedure examples across 79 MITRE ATT&CK® techniques from 22 ICS-related malware families, utilizing automated natural language processing techniques t
arXiv
On the Validity of Traditional Vulnerability Scoring Systems for Adversarial Attacks against LLMs
arxiv_fulltext·2024-12-28
On the Validity of Traditional Vulnerability Scoring Systems for Adversarial Attacks against LLMs
frontmatter
On the Validity of Traditional Vulnerability Scoring Systems for Adversarial Attacks against LLMs
[label1]Atmane Ayoub MANSOUR BAHARcorr
[email protected]
[label2]Ahmad Samer WAZAN
[email protected]
[label1]organization=Research Assistant,
state=Algiers,
country=Algeria
[label2]organization=College of Technological Innovation Zayed University,
state=Abu Dhabi,
country=United Arab Emirates
[corr]Corresponding author
## Abstract
Purpose - This research investigates the effectiveness of established vulnerability metrics, such as the Common Vulnerability Scoring System (CVSS), in evaluating attacks on Large Language Models (LLMs), with a focus on Adversarial Attacks (AAs). The study explores the influence of both general and specific metric factors in determin
Tenable
Securing Industrial Control Systems Against Vulnerabilities and Malware
blogs_tenable·2017-06-22
Securing Industrial Control Systems Against Vulnerabilities and Malware
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Securing Industrial Control Systems Against Vulnerabilities and Malware
blogs_tenable·2017-06-22
Securing Industrial Control Systems Against Vulnerabilities and Malware
Blog / News and Views
Subscribe
# Securing Industrial Control Systems Against Vulnerabilities and Malware
Mehul Revankar
June 22, 2017
6 Min Read
Recently, a new threat dubbed Industroyer or CrashOverride was identified as the malware that was used in the 2016 attack on the Ukraine electric grid. Many pros are calling Industroyer the biggest threat to hit industrial control systems (ICS) since Stuxnet. However, Industroyer’s significance as a single event is relatively small because there are no zero days in the Industroyer payload.
Malware like Industroyer is the new normal
Security for critical infrastructure is a matter of national security and unfortunately, malware like Industroyer is the new normal. Multiple smaller attacks could easily add up to a disruptive event. Instead of
Checkpoint
CrashOverride
blogs_checkpoint·2017-06-21·CVSS 7.8
CVE-2015-5374 [HIGH] CrashOverride
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## CrashOverride
On June 20 th Check Point published an IPS signature providing virtual patching for the Siemens SIPROTEC DoS vulnerability. This IPS signature can help protect against a new
http://www.securityfocus.com/bid/75948http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-732541.pdfhttps://ics-cert.us-cert.gov/advisories/ICSA-15-202-01https://ics-cert.us-cert.gov/advisories/ICSA-17-187-03https://www.exploit-db.com/exploits/44103/https://www.siemens.com/cert/pool/cert/siemens_security_advisory_SSA-323211.pdfhttp://www.securityfocus.com/bid/75948http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-732541.pdfhttps://ics-cert.us-cert.gov/advisories/ICSA-15-202-01https://ics-cert.us-cert.gov/advisories/ICSA-17-187-03https://www.exploit-db.com/exploits/44103/https://www.siemens.com/cert/pool/cert/siemens_security_advisory_SSA-323211.pdf
2015-07-18
Published
Exploited in the wild