Siemens CPCI85 Firmware of SICAM A8000 Devices

Act Now9.8ICS-CERT ICSA-23-103-07Apr 11, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The CPCI85 firmware in Siemens SICAM A8000 CP-8031 and CP-8050 master modules contains an unauthenticated command injection vulnerability in the web interface. An attacker can send crafted input to port 80 or 443 that is not properly sanitized before execution, allowing remote code execution with no credentials required. This affects substation automation and protection systems used in electrical grids.

What this means

What could happen

An attacker could execute arbitrary commands on the SICAM A8000 substation automation controller without authentication, potentially altering protection settings, disabling alarms, or disrupting grid operations.

Who's at risk

Electric utilities and independent system operators (TSOs/DSOs) using Siemens SICAM A8000 substation automation systems with CP-8031 or CP-8050 master modules. This affects grid protection and monitoring equipment responsible for fault detection, load control, and grid stability.

How it could be exploited

An attacker on the network sends a malicious command to the web interface (port 80 or 443) of the CP-8031 or CP-8050 master module. The CPCI85 firmware fails to sanitize input before passing it to system commands, allowing command injection. The attacker gains code execution with the privileges of the web server process.

Prerequisites

Network access to TCP port 80 or 443 on the master module
No authentication required

remotely exploitableno authentication requiredlow complexitycritical CVSS score (9.8)high impact on grid operationsaffects safety and protection systems

Exploitability

Moderate exploit probability (EPSS 2.9%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

CP-8031 MASTER MODULE (6MF2803-1AA00)<vers:/ CPCI85 V05CPCI85 V05 or later

CP-8050 MASTER MODULE (6MF2805-0AA00)<vers:/ CPCI85 V05CPCI85 V05 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the web interface (port 80/TCP and 443/TCP) using a firewall or network segmentation; limit to authorized management networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CPCI85 firmware to version V05 or later on CP-8031 and CP-8050 master modules

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate substation automation controllers from untrusted networks

HARDENINGEnable VPN or authenticated access controls for remote management of the controller

CVEs (1)

CVE-2023-28489

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f92f7949-6e50-4128-a70b-c4cf731e142b