Siemens SENTRON PAC3200 Devices

Plan PatchCVSS 9.8ICS-CERT ICSA-24-284-04Oct 8, 2024

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SENTRON 7KM PAC3200 devices protect administrative access via Modbus TCP using only a 4-digit PIN. An attacker with network access to the Modbus TCP interface can bypass this weak protection through brute-force attacks (10,000 possible combinations) or by capturing credentials from cleartext Modbus communication. No firmware patch is available. Siemens recommends network-level protections and following operational security guidelines.

What this means

What could happen

An attacker with access to your Modbus TCP network can brute-force the 4-digit PIN protecting the SENTRON PAC3200, gain administrative access, and alter power metering, load shedding rules, or disable protection settings in your electrical distribution.

Who's at risk

Electrical utilities and industrial facilities using SENTRON 7KM PAC3200 power monitoring units. Any organization with these devices connected to a Modbus TCP network where untrusted systems or external users can reach the device should treat this as high-risk, especially if the PAC3200 controls or monitors critical feeders, transformers, or backup power systems.

How it could be exploited

An attacker on the same network as your PAC3200 Modbus TCP interface sends repeated Modbus authentication requests with different PINs. With only 10,000 possible combinations and no rate limiting mentioned, access can be obtained in minutes. Once authenticated, the attacker can read/modify any Modbus register accessible to administrators.

Prerequisites

Network access to the device's Modbus TCP port (typically port 502)
The Modbus TCP interface must be enabled on the device

remotely exploitableno authentication required (weak PIN only)low complexity (brute-force attack)no patch availableaffects critical infrastructurecleartext Modbus communication

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

SENTRON 7KM PAC3200All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to the SENTRON PAC3200 Modbus TCP port (502) using firewall rules—allow only authorized engineering and monitoring workstations, block all other network sources

HARDENINGImplement network segmentation so the PAC3200 is isolated on a dedicated industrial network not directly connected to corporate IT networks or untrusted sources

WORKAROUNDDisable Modbus TCP remote access if not required for your operations; use local serial connections for configuration where possible

Mitigations - no patch available

0/1

SENTRON 7KM PAC3200 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor Modbus TCP network traffic to the PAC3200 for repeated authentication failures, which may indicate brute-force attempts

CVEs (1)

CVE-2024-41798

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8c75969c-bd94-4d84-8ba1-ac7909e14c49

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.