Siemens SIPROTEC 4 7SJ66

Act Now9.8ICS-CERT ICSA-23-320-10Nov 14, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIPROTEC 4 7SJ66 devices contain multiple vulnerabilities in the underlying Wind River VxWorks network stack, including nine of the "URGENT/11" flaws. These allow remote attackers to cause denial of service, extract data, or execute arbitrary code without authentication, affecting the availability, integrity, and confidentiality of the relay and its operations. Siemens has released firmware version 4.41 or later to address these issues.

What this means

What could happen

An attacker with network access to a 7SJ66 relay could execute arbitrary code, causing denial of service, data theft, or manipulation of protective relay settings that control power grid protection and isolation—potentially affecting customer power delivery or equipment protection.

Who's at risk

Electric utilities and power distributors using Siemens SIPROTEC 4 7SJ66 protective relays for transmission, distribution, or substation protection. These relays protect critical power infrastructure and isolate faults, so compromise could affect power availability and equipment safety.

How it could be exploited

An attacker sends specially crafted network packets to the 7SJ66 device exploiting VxWorks network stack vulnerabilities (URGENT/11). No authentication is required. Successful exploitation allows remote code execution on the relay, which could then alter protection logic, trigger false trips, block legitimate trips, or disable the device.

Prerequisites

Network access to the 7SJ66 device on port 21 or other network service ports
Device running firmware version before V4.41
No requirement for valid credentials

remotely exploitableno authentication requiredlow complexityhigh EPSS score (79.5%)affects safety systems

Exploitability

High exploit probability (EPSS 79.5%)

Affected products (1)

ProductAffected VersionsFix Status

SIPROTEC 4 7SJ66<V4.414.41

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to 7SJ66 devices using firewall rules; only allow trusted engineering workstations and SCADA systems to communicate with the relay

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIPROTEC 4 7SJ66 firmware to version 4.41 or later

Long-term hardening

0/2

HARDENINGIsolate the protection relay network from the business network and the internet using a demilitarized zone (DMZ) or air gap

HARDENINGImplement network segmentation so the relay is not accessible from remote locations unless accessed through a secure VPN with additional authentication

CVEs (9)

CVE-2019-12255 CVE-2019-12256 CVE-2019-12258 CVE-2019-12259 CVE-2019-12260 CVE-2019-12261 CVE-2019-12262 CVE-2019-12263 CVE-2019-12265

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2dceb58c-0f59-4e33-a429-7da23f8824a5