Siemens SICAM MMU, SICAM T, and SICAM SGU

Act Now9.8ICS-CERT ICSA-20-196-03Jul 14, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Siemens SICAM substation automation devices allow unauthenticated remote code execution and firmware installation. The affected products include SICAM MMU (Remote Terminal Unit), SICAM T (Terminal), and SICAM SGU (Substation Gateway Unit). Vulnerabilities include buffer overflows (CWE-120, CWE-125), missing authentication (CWE-306), unencrypted communication (CWE-311), improper input validation (CWE-79, CWE-80), and missing cryptographic controls (CWE-294, CWE-916). An unauthenticated attacker with network access can execute arbitrary commands on the device, install malicious firmware, and intercept sensitive data. The devices transmit passwords and commands in plaintext; hardware constraints prevent on-device encryption.

What this means

What could happen

An attacker with network access to these devices can read sensitive data (including passwords) transmitted in plaintext, execute arbitrary commands on the RTU without authentication, or install unauthorized firmware, potentially disrupting substation operations and data integrity.

Who's at risk

Utilities operating Siemens substation automation devices should care about this vulnerability. SICAM MMU and SICAM T are remote terminal units (RTUs) used in electrical substations and water/wastewater facilities for monitoring and control. SICAM SGU devices may also be deployed in similar critical infrastructure environments. These devices manage SCADA functions and often have direct control over circuit breakers, pumps, or other switching equipment.

How it could be exploited

An attacker on the same network as the device can send unencrypted HTTP requests to the web application without credentials, then exploit buffer overflows, cross-site scripting, or authentication bypass vulnerabilities to execute commands or install firmware on the RTU.

Prerequisites

Network access to the device's HTTP port (unencrypted web interface)
No valid credentials required
Device must be running vulnerable firmware version

remotely exploitableno authentication requiredaffects critical operational equipmentunencrypted communication (no TLS/encryption possible on device hardware)plaintext credential transmissionmultiple CWEs including buffer overflow and XSSSICAM SGU has no patch available

Exploitability

Moderate exploit probability (EPSS 1.3%)

Affected products (3)

2 with fix1 EOL

ProductAffected VersionsFix Status

SICAM MMU: All<V2.052.05 to introduce authentication in the web application to mitigate some web

SICAM T: All<V2.182.18 to introduce authentication in the web application to mitigate some web

SICAM SGU: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDImplement VPN encryption between operators and these devices to protect plaintext credentials and commands

HARDENINGRestrict network access to the web interface using firewall rules; allow only authorized engineering workstations

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SICAM MMU to firmware version 2.05 or later

HOTFIXUpdate SICAM T to firmware version 2.18 or later

HARDENINGEnsure operators use a modern, up-to-date web browser when accessing the device

Long-term hardening

0/1

HOTFIXReplace SICAM SGU (RTU applications) with SICAM A8000 RTU devices

CVEs (9)

CVE-2020-10037 CVE-2020-10038 CVE-2020-10039 CVE-2020-10040 CVE-2020-10041 CVE-2020-10042 CVE-2020-10043 CVE-2020-10044 CVE-2020-10045

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0b446802-5953-4090-a6d8-7921215a5c2e