CVE-2020-37216: Hirschmann HiOS EtherNet/IP Stack Denial of Service
Hirschmann HiOS devices versions prior to 08.1.00 and 07.1.01 contain a denial of service vulnerability in the EtherNet/IP stack where improper handling of packet length fields allows remote attackers to crash or hang the device. Attackers can send specially crafted UDP EtherNet/IP packets with a length value larger than the actual packet size to render the device inoperable.
Security readout for executives and security teams
Plain-English summary
This issue can let a remote, unauthenticated attacker make affected Hirschmann HiOS network devices crash or hang. For operational technology environments, the business risk is device unavailability and disrupted industrial communications, not data theft or code execution based on the supplied sources.
Executive priority
Treat as high priority for OT environments where device availability matters. Prioritize externally reachable, cross-zone, or production-critical HiOS assets first, because successful exploitation could interrupt operations without requiring attacker credentials.
Technical view
CVE-2020-37216 is a CWE-20 input-validation flaw in the HiOS EtherNet/IP stack. Specially crafted UDP EtherNet/IP traffic with inconsistent packet length fields can render the device inoperable. The supplied CVSS v4.0 score is 8.7, driven by network reachability, low complexity, no privileges, and high availability impact.
Likely exposure
Exposure is most likely where Hirschmann HiOS devices run vulnerable firmware and EtherNet/IP is reachable from untrusted or broad internal networks. Internet exposure or flat OT networks would increase operational risk. The source bundle contains conflicting affected-version metadata, so confirm exact product trains against Belden guidance.
Exploitation context
The bundle states KEV is false and provides no cited evidence of active exploitation. The vulnerability is remotely reachable over the network and does not require authentication, but the documented impact is denial of service. No exploit maturity or weaponized public exploitation is established in the provided sources.
Researcher notes
Do not rely solely on the supplied affected-version list because it appears inconsistent with the description. The description says versions prior to 08.1.00 and 07.1.01 are vulnerable, while the affected array lists greater-than-or-equal entries. Validate against the Belden bulletin and CVE record.
Mitigation direction
Inventory Hirschmann HiOS devices and firmware versions.
Check Belden bulletin for the correct fixed release per product train.
Upgrade affected devices to vendor-recommended fixed firmware.
Restrict EtherNet/IP access to trusted OT hosts and segments.
Block untrusted network paths to affected management or industrial services.
Plan maintenance windows for remediation on production OT networks.
Validation and detection
Verify each HiOS device firmware against Belden advisory data.
Confirm EtherNet/IP is not reachable from untrusted networks.
Review monitoring for unexplained device crashes, hangs, or resets.
Validate segmentation rules after remediation.
Document exceptions and compensating controls for devices awaiting upgrade.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-20: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-20 · source CWE mapping
Improper Input Validation
Improper Input Validation represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.