LiveActive security incident?Get immediate response
CVE Record

CVE-2020-37216: Hirschmann HiOS EtherNet/IP Stack Denial of Service

Hirschmann HiOS devices versions prior to 08.1.00 and 07.1.01 contain a denial of service vulnerability in the EtherNet/IP stack where improper handling of packet length fields allows remote attackers to crash or hang the device. Attackers can send specially crafted UDP EtherNet/IP packets with a length value larger than the actual packet size to render the device inoperable.

HighCVSS 8.7Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This issue can let a remote, unauthenticated attacker make affected Hirschmann HiOS network devices crash or hang. For operational technology environments, the business risk is device unavailability and disrupted industrial communications, not data theft or code execution based on the supplied sources.

Executive priority

Treat as high priority for OT environments where device availability matters. Prioritize externally reachable, cross-zone, or production-critical HiOS assets first, because successful exploitation could interrupt operations without requiring attacker credentials.

Technical view

CVE-2020-37216 is a CWE-20 input-validation flaw in the HiOS EtherNet/IP stack. Specially crafted UDP EtherNet/IP traffic with inconsistent packet length fields can render the device inoperable. The supplied CVSS v4.0 score is 8.7, driven by network reachability, low complexity, no privileges, and high availability impact.

Likely exposure

Exposure is most likely where Hirschmann HiOS devices run vulnerable firmware and EtherNet/IP is reachable from untrusted or broad internal networks. Internet exposure or flat OT networks would increase operational risk. The source bundle contains conflicting affected-version metadata, so confirm exact product trains against Belden guidance.

Exploitation context

The bundle states KEV is false and provides no cited evidence of active exploitation. The vulnerability is remotely reachable over the network and does not require authentication, but the documented impact is denial of service. No exploit maturity or weaponized public exploitation is established in the provided sources.

Researcher notes

Do not rely solely on the supplied affected-version list because it appears inconsistent with the description. The description says versions prior to 08.1.00 and 07.1.01 are vulnerable, while the affected array lists greater-than-or-equal entries. Validate against the Belden bulletin and CVE record.

Mitigation direction

  • Inventory Hirschmann HiOS devices and firmware versions.
  • Check Belden bulletin for the correct fixed release per product train.
  • Upgrade affected devices to vendor-recommended fixed firmware.
  • Restrict EtherNet/IP access to trusted OT hosts and segments.
  • Block untrusted network paths to affected management or industrial services.
  • Plan maintenance windows for remediation on production OT networks.

Validation and detection

  • Verify each HiOS device firmware against Belden advisory data.
  • Confirm EtherNet/IP is not reachable from untrusted networks.
  • Review monitoring for unexplained device crashes, hangs, or resets.
  • Validate segmentation rules after remediation.
  • Document exceptions and compensating controls for devices awaiting upgrade.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-20: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-37216 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.7 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
3Timeline events
1ADP providers
3Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.7CVSS 4.0HighCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NVulnCheck
7.5CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H3.93.6VulnCheck

Vulnerability scoring details

Base CVSS 4.0 score

8.7High
CVSS 4.0 vector shape for CVE-2020-37216Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
BeldenHirschmann HiOS>= 08.1.00, >= 07.1.01, 05.00.00affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-20 · source CWE mapping

Improper Input Validation

Improper Input Validation represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.