ICSA-19-099-02 Siemens Spectrum Power 4.7

Act Now10ICS-CERT ICSA-19-099-02Apr 9, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens Spectrum Power 4 with Web Office Portal contains a command injection vulnerability (CWE-77) in the web server. An attacker can send a specially crafted request to execute arbitrary commands on the affected device without authentication. This affects power system configuration and grid management operations. Siemens has released bugfix bf-47456_PE_WOP_fix to address the vulnerability.

What this means

What could happen

An attacker could execute arbitrary commands on the Spectrum Power 4 web server, potentially altering power system configuration, disrupting grid management operations, or causing widespread power outages if critical functions are compromised.

Who's at risk

Operators and engineers at electric utilities and energy companies who manage power distribution and substation control using Siemens Spectrum Power 4 with Web Office Portal. This includes grid operators, network technicians, and remote monitoring staff.

How it could be exploited

An attacker on the network (or internet if the web server is exposed) sends a specially crafted request to the Web Office Portal. The request exploits a command injection vulnerability (CWE-77) to execute arbitrary commands on the server without authentication. No special configuration or credentials are required.

Prerequisites

Internet or network access to the Spectrum Power 4 Web Office Portal (port 80 or 443)
Web Office Portal enabled and accessible

remotely exploitableno authentication requiredlow complexitycritical CVSS score (10.0)affects grid management and power distribution systems

Exploitability

Moderate exploit probability (EPSS 1.3%)

Affected products (1)

ProductAffected VersionsFix Status

Spectrum Power 4with Web Office PortalNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable the web server on Spectrum Power 4 if it is not required for operations

WORKAROUNDRestrict access to the Web Office Portal with external firewall rules to limit connections to authorized management stations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXInstall Siemens bugfix bf-47456_PE_WOP_fix from Siemens Energy Customer Support Center (support.energy@siemens.com)

Long-term hardening

0/2

HARDENINGSegment power management networks from the business network and ensure Spectrum Power 4 is not reachable from the internet

HARDENINGImplement VPN with strong authentication for any required remote access to Spectrum Power 4 management functions

CVEs (1)

CVE-2019-6579

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f902c692-d2f2-464c-be34-a3a3f416f6a1