Siemens SIPROTEC 5 Devices

Monitor6.5ICS-CERT ICSA-22-013-04Jan 11, 2022

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An information disclosure vulnerability in SIPROTEC 5 protection relays allows unauthenticated attackers on the local network to read device information. Affected devices include 6MD85, 6MD86, 6MD89, 6MU85, 7KE85, 7SA82, 7SA86, 7SA87, 7SD82, 7SD86, 7SD87, 7SJ81, 7SJ82, 7SJ85, 7SJ86, 7SK82, 7SK85, 7SL82, 7SL86, 7SL87, 7SS85, 7ST85, 7SX85, 7SX800, 7UM85, 7UT82, 7UT85, 7UT86, 7UT87, 7VE85, and 7VK87 with CP050, CP100, or CP300 CPU variants running firmware versions below 8.83. The vulnerability results from improper input validation (CWE-20). Siemens has released firmware updates to address this issue.

What this means

What could happen

An attacker on the local network can read sensitive device information from SIPROTEC 5 relays without needing to log in, potentially exposing configuration or operational data that could aid further attacks on the power or water distribution system.

Who's at risk

Power utilities, water authorities, and other critical infrastructure operators using Siemens SIPROTEC 5 protection relays (distance, overcurrent, differential, transformer, or voltage protection functions) in substations and control facilities. Affects 31 device models with CP050, CP100, or CP300 CPU variants deployed in protection schemes.

How it could be exploited

An attacker with network access to an affected SIPROTEC 5 device (typically connected to a substation LAN or protection network) can send unauthenticated requests to the device to read device information. No credentials, user interaction, or special complexity required.

Prerequisites

Network access to the affected SIPROTEC 5 device
Device running firmware version earlier than 8.83
Device using CPU variant CP050, CP100, or CP300

remotely exploitableno authentication requiredlow complexityinformation disclosureaffects protection systems

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (31)

31 with fix

ProductAffected VersionsFix Status

SIPROTEC 5 6MD85 devices (CPU variant CP300)<V8.838.83

SIPROTEC 5 6MD86 devices (CPU variant CP300)<V8.838.83

SIPROTEC 5 6MD89 devices (CPU variant CP300)<V8.838.83

SIPROTEC 5 6MU85 devices (CPU variant CP300)<V8.838.83

SIPROTEC 5 7KE85 devices (CPU variant CP300)<V8.838.83

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict network access to SIPROTEC 5 devices using firewall rules, network segmentation, or VPN to limit exposure from untrusted networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected SIPROTEC 5 devices to firmware version 8.83 or later

HOTFIXValidate firmware updates in a test environment before deploying to production protection relays

Long-term hardening

0/1

HARDENINGConfigure SIPROTEC 5 devices according to Siemens operational security guidelines for industrial environments

CVEs (1)

CVE-2021-41769

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dc9d9ff7-6375-4161-80b1-5487fe8ab92f