Siemens Spectrum Power 4

Monitor5.4ICS-CERT ICSA-22-041-06Feb 8, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A Cross-Site Scripting (XSS) vulnerability exists in the integrated web application "Online Help" feature of Siemens Spectrum Power 4 versions prior to 4.70 SP9 Security Patch 1. An attacker could inject malicious JavaScript code that executes in the operator's browser when they interact with affected web content, potentially leading to credential theft or unauthorized system actions.

What this means

What could happen

An attacker could inject malicious JavaScript into the Spectrum Power 4 web interface, which could steal credentials or trick operators into performing unintended actions affecting grid operations.

Who's at risk

Operators and engineers at electric utilities, transmission system operators (TSOs), and distribution system operators (DSOs) who use Siemens Spectrum Power 4 for grid management and monitoring are affected. The vulnerability impacts the web-based configuration and monitoring interface used to manage power system operations.

How it could be exploited

An attacker crafts a malicious link containing JavaScript code and sends it to an operator. When the operator clicks the link while logged into the Spectrum Power 4 web interface, the malicious code executes in their browser context, potentially capturing credentials or hijacking their session to make unauthorized configuration changes.

Prerequisites

Operator must click a malicious link while actively using the Spectrum Power 4 web interface
Attacker must be able to deliver the link to the operator (email, chat, etc.)
The web interface must be accessible to the operator

remotely exploitableuser interaction requiredlow CVSS score but affects operational technologyaffects critical grid operations

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Spectrum Power 4<V4.70 SP9 Security Patch 14.70 SP9 Security Patch 1

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDTrain operators not to click unknown or untrusted links while working in Spectrum Power 4

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Spectrum Power 4 to version 4.70 SP9 Security Patch 1 or later

Long-term hardening

0/2

HARDENINGRestrict network access to the Spectrum Power 4 web interface using firewalls or VPN; ensure it is not reachable directly from the Internet

HARDENINGImplement network segmentation to isolate critical power system networks from the business network

CVEs (1)

CVE-2022-23312

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/67ec9a00-7d8e-4624-a668-babc82547218