diff --git a/packages/cc/src/cc/Security2CC.ts b/packages/cc/src/cc/Security2CC.ts
index ea735f517e80..dce0c6b918ba 100644
--- a/packages/cc/src/cc/Security2CC.ts
+++ b/packages/cc/src/cc/Security2CC.ts
@@ -2086,6 +2086,7 @@ export class Security2CCKEXSet extends Security2CC {
 		super(host, options);
 		if (gotDeserializationOptions(options)) {
 			validatePayload(this.payload.length >= 4);
+			this._reserved = this.payload[0] & 0b1111_1100;
 			this.permitCSA = !!(this.payload[0] & 0b10);
 			this.echo = !!(this.payload[0] & 0b1);
 			// The bit mask starts at 0, but bit 0 is not used
@@ -2108,6 +2109,7 @@ export class Security2CCKEXSet extends Security2CC {
 				SecurityClass.S2_Unauthenticated,
 			);
 		} else {
+			this._reserved = 0;
 			this.permitCSA = options.permitCSA;
 			this.echo = options.echo;
 			this.selectedKEXScheme = options.selectedKEXScheme;
@@ -2116,6 +2118,7 @@ export class Security2CCKEXSet extends Security2CC {
 		}
 	}
 
+	public readonly _reserved: number;
 	public permitCSA: boolean;
 	public echo: boolean;
 	public selectedKEXScheme: KEXSchemes;
diff --git a/packages/zwave-js/src/lib/controller/Controller.ts b/packages/zwave-js/src/lib/controller/Controller.ts
index afd143baee4f..7b7036b4558d 100644
--- a/packages/zwave-js/src/lib/controller/Controller.ts
+++ b/packages/zwave-js/src/lib/controller/Controller.ts
@@ -3563,6 +3563,15 @@ export class ZWaveController
 				});
 				await abort(KEXFailType.WrongSecurityLevel);
 				return SecurityBootstrapFailure.NodeCanceled;
+			} else if (kexSetEcho._reserved !== 0) {
+				this.driver.controllerLog.logNode(node.id, {
+					message:
+						`Security S2 bootstrapping failed: Invalid KEXSet received`,
+					direction: "inbound",
+					level: "warn",
+				});
+				await abort(KEXFailType.WrongSecurityLevel);
+				return SecurityBootstrapFailure.NodeCanceled;
 			} else if (
 				!kexSetEcho.isEncapsulatedWith(
 					CommandClasses["Security 2"],