Siemens SIPROTEC 5 Products
MonitorCVSS 6.5ICS-CERT ICSA-25-016-04Jan 14, 2025
Siemens
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
SIPROTEC 5 protection relays do not properly restrict web server filesystem access. An authenticated attacker could read arbitrary files from the device filesystem, potentially exposing configuration data, settings, or other sensitive information stored on the protection relay.
What this means
What could happen
An authenticated attacker could read sensitive files from your protection relays, including configuration data and internal settings. While this does not directly alter operations, it exposes information an attacker could use to plan further attacks on your grid protection system.
Who's at risk
Electric utilities operating SIPROTEC 5 protection relays used for grid protection, including distance relays (7SA, 7SD, 7SJ, 7SK, 7SL), current differential relays (7UT, 7ST, 7SS), measurement devices (6MD, 6MU, 7KE, 7UM, 7VE), and compact models. Affects distribution operators (DSOs), transmission system operators (TSOs), and utilities with secondary protection schemes that depend on these relays.
How it could be exploited
An attacker with valid credentials to access the web server on a SIPROTEC 5 relay could request arbitrary files from the device filesystem over the network. The web server does not restrict which files can be accessed, allowing the attacker to retrieve system configuration, protection settings, and other sensitive data stored on the device.
Prerequisites
- Valid user credentials to access the SIPROTEC 5 web interface
- Network access to the HTTP/HTTPS port on the protection relay
- SIPROTEC 5 device running an affected firmware version
Affects critical grid protection infrastructureNo patch available for several modelsRequires authenticated access but widespread use of shared credentials in utilitiesLow EPSS score but CWE-552 (improper permissions) is a known exploitation pattern
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (43)
43 with fix
ProductAffected VersionsFix Status
SIPROTEC 5 6MD84 (CP300)< 9.809.80
SIPROTEC 5 6MD85 (CP300)≥ 7.80, < 9.809.80
SIPROTEC 5 6MD86 (CP300)≥ 7.80, < 9.809.80
SIPROTEC 5 6MD89 (CP300)≥ 7.80, < 9.689.68
SIPROTEC 5 6MU85 (CP300)≥ 7.80, < 9.809.80
Remediation & Mitigation
0/5
Do now
0/2SIPROTEC 5 7SA82 (CP100)
WORKAROUNDFor models with no available patch (6MD89, 7SA82 CP100, 7SD82 CP100, 7SJ81 CP100, 7SJ82 CP100, 7SK82 CP100, 7SL82 CP100, 7ST85, 7UT82 CP100), apply compensating controls: disable web server access entirely if not required for operations, or restrict access at the network layer using firewall rules
All products
WORKAROUNDRestrict network access to SIPROTEC 5 web interfaces using firewall rules; allow HTTP/HTTPS access only from authorized engineering workstations and management networks, not from general plant networks
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
SIPROTEC 5 6MD84 (CP300)
HOTFIXUpdate SIPROTEC 5 devices with available patches: CP300 models to firmware 9.80 or later; CP150 and CP050 models (7SA82, 7SD82, 7SL82, 7SK82, 7SJ81, 7SJ82, 7SX82, 7SY82, 7UT82, Compact 7SX800) to 9.80 or later; CP100 models (7SA82, 7SD82, 7SJ81, 7SJ82, 7SK82, 7SL82, 7UT82) to version 8.90 or later
All products
HARDENINGEnforce strong, unique passwords for each SIPROTEC 5 relay instead of shared engineering credentials; implement access controls to limit which personnel can authenticate to the web interface
Long-term hardening
0/1HARDENINGImplement network segmentation to isolate protection relay management traffic; place web access and firmware update functions on a separate VLAN or air-gapped management network
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0142a2f0-ea4e-4544-bad0-444ce09b42edGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.