OTPulse
FeedAboutContact

Siemens SICAM A8000 RTUs

Plan Patch8.3ICS-CERT ICSA-20-224-08Aug 11, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary

SICAM WEB firmware for Siemens SICAM A8000 RTUs contains a cross-site scripting (CWE-79) vulnerability in the web interface. A remote attacker with network access to port 443/TCP can inject malicious script code. If an authenticated user views the injected payload in their browser, the code executes with the user's session privileges, potentially allowing the attacker to execute commands on the RTU or access sensitive data. The vulnerability affects all firmware versions prior to v05.30.

What this means
What could happen
An attacker could inject malicious code into the SICAM A8000 RTU web interface, allowing them to execute commands on the device and potentially alter control parameters, trigger unwanted operations, or disrupt remote terminal operations at substations or water treatment facilities.
Who's at risk
This affects water authorities and electric utilities operating Siemens SICAM A8000 Remote Terminal Units (RTUs) for substation automation and remote control of distribution equipment. Any RTU running SICAM WEB firmware older than version 05.30 is vulnerable. RTUs are commonly deployed at substations, water treatment plants, and remote monitored facilities.
How it could be exploited
An attacker with network access to port 443/TCP on the SICAM A8000 RTU could craft a malicious request containing injected script code targeting the web interface. If a user (likely an engineer or operator) visits a compromised or manipulated link while authenticated to the device, the injected code executes in their browser context with the privileges of their session, potentially allowing command execution on the RTU itself.
Prerequisites
  • Network access to SICAM A8000 RTU on port 443/TCP
  • User interaction required - an authenticated user must view the malicious payload in their web browser
  • Device running SICAM WEB firmware version earlier than v05.30
remotely exploitableuser interaction requiredaffects remote operations infrastructurehigh skill level required to exploithigh CVSS score (8.3)
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (1)
ProductAffected VersionsFix Status
SICAM WEB firmware for SICAM A8000 RTUs: All<V05.3005.30
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to port 443/TCP on SICAM A8000 RTUs using firewall rules - limit to authorized engineering and operations networks only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SICAM WEB firmware to version 05.30 or later
Long-term hardening
0/2
HARDENINGIsolate SICAM A8000 RTU network segments from direct Internet connectivity using firewalls and DMZs
HARDENINGImplement network segmentation to separate RTU management networks from business IT networks
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/39298683-c766-4074-b173-22e9c825f24c
Siemens SICAM A8000 RTUs | CVSS 8.3 - OTPulse