Siemens SPPA-T3000 (Update A)

Act Now9.8ICS-CERT ICSA-19-351-02Dec 10, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SPPA-T3000 Application Server and MS3000 Migration Server contain multiple vulnerabilities including unsafe deserialization (CWE-502), weak input validation (CWE-20), and insecure file upload (CWE-434) that can allow remote code execution. The Application Server listens on multiple ports (80, 8090, 8095, 8080, 1099, 5010, 8888, 7061) on the Application Highway and Automation Highway networks. According to the vendor, risk is mitigated if these highways are properly isolated from untrusted networks per the SPPA-T3000 security manual—the highways must not be exposed to external networks or the Internet.

What this means

What could happen

An attacker with network access to the Application or Automation Highway could execute arbitrary code on the SPPA-T3000 Application Server, potentially allowing them to alter control logic, modify setpoints, or shut down power generation and grid management systems.

Who's at risk

This affects power generation and grid management operators who run Siemens SPPA-T3000 systems. The vulnerability impacts the Application Server (which controls the overall system logic) and MS3000 Migration Server (used for system upgrades and data migration). Organizations in the energy sector with these systems connected to supervisory networks need immediate attention.

How it could be exploited

An attacker on the Application Highway or Automation Highway network can send malicious input to the vulnerable SPPA-T3000 Application Server listening on ports 80, 8090, 8095, 8080, 1099, 5010, 8888, or 7061. The input can trigger unsafe deserialization, code injection, or file upload vulnerabilities, resulting in remote code execution on the server. The MS3000 Migration Server is similarly reachable from these highways and can be exploited for unauthorized access.

Prerequisites

Network access to Application Highway or Automation Highway
Access to one of the following ports: 80/TCP, 8090/TCP, 8095/TCP, 8080/TCP, 1099/TCP, 5010/TCP, 8888/TCP, or 7061/TCP
No authentication required to exploit

Remotely exploitable from internal networkNo authentication requiredLow attack complexityHigh EPSS score (11.5%)Affects supervisory control systemsMS3000 has no fix available

Exploitability

High exploit probability (EPSS 11.5%)

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

SPPA-T3000 Application Server<Service Pack R8.2 SP2Service Pack R8.2 SP2 or later

SPPA-T3000 MS3000 Migration ServerAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/4

WORKAROUNDFor MS3000 Migration Server, implement configuration recommendations from Siemens Energy Customer Portal and security manual (no vendor patch available)

HARDENINGRestrict access to the Application Highway using the built-in SPPA-T3000 Firewall

HARDENINGDo not bridge external networks to the Application Highway or Automation Highway; connect external components only to the DMZ

HARDENINGBlock or monitor inbound access to ports 80/TCP, 8090/TCP, 8095/TCP, 8080/TCP, 1099/TCP, 5010/TCP, 8888/TCP, and 7061/TCP at the network perimeter

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SPPA-T3000 Application Server

HOTFIXUpgrade SPPA-T3000 Application Server to Service Pack R8.2 SP2 or later (contact Siemens service management for the update)

Mitigations - no patch available

0/2

SPPA-T3000 MS3000 Migration Server has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGEnsure SPPA-T3000 is not accessible from the Internet; place behind firewall and isolate from business network

HARDENINGImplement mitigations described in the SPPA-T3000 security manual

CVEs (54)

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/035b55a2-b0c5-4f99-a7a1-334aed7d5d67