Siemens SIPROTEC 5 Products
Monitor6.5ICS-CERT ICSA-25-016-04Jan 14, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
SIPROTEC 5 protection relays do not properly restrict web server access to the filesystem, allowing an authenticated attacker to read arbitrary files from the device. The vulnerability affects 43 SIPROTEC 5 models across distance protection, differential protection, and specialized relay platforms. Siemens has released firmware updates (V9.80 or V8.90 depending on platform) for most products, but several models have no fix available. The vulnerability is classified as medium severity (CVSS 6.5) and is not currently being actively exploited.
What this means
What could happen
An authenticated attacker could read arbitrary files from the SIPROTEC 5 device's filesystem, including configuration files and sensitive data that could reveal network topology or credentials. In critical protection relay applications, unauthorized access to configuration could allow an attacker to understand the protection scheme and identify weaknesses.
Who's at risk
Utilities operating SIPROTEC 5 protection relays for high-voltage and medium-voltage power systems, including transmission operators (TSOs) and distribution operators (DSOs). Affected products include distance relays (7SA, 7SD, 7SJ, 7SK, 7SL, 7ST, 7UT, 7VE), differential relays (6MD, 6MU, 7UM), and specialized relays (7SX, 7SY, 7SS, 7VK, 7VU, 7KE) used for primary and backup protection in substations and power distribution networks.
How it could be exploited
An attacker with valid credentials to the web server could send requests to improperly restricted filesystem endpoints. The web server does not properly enforce directory access controls, allowing traversal or direct access to sensitive files outside the intended web root. This requires the attacker to be on the network and authenticated.
Prerequisites
- Network access to the web server port on the device (typically HTTP/HTTPS)
- Valid user credentials for the SIPROTEC 5 web interface
- Knowledge of or ability to guess sensitive file paths
Remotely exploitable (requires network access)Authentication required (reduces immediate risk)Low attack complexityWidespread use in critical power infrastructureSome models have no vendor fix availablePotential access to sensitive protection configuration data
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (43)
43 with fix
ProductAffected VersionsFix Status
SIPROTEC 5 6MD84 (CP300)< 9.809.80
SIPROTEC 5 6MD85 (CP300)≥ 7.80, < 9.809.80
SIPROTEC 5 6MD86 (CP300)≥ 7.80, < 9.809.80
SIPROTEC 5 6MD89 (CP300)≥ 7.80, < 9.689.68
SIPROTEC 5 6MU85 (CP300)≥ 7.80, < 9.809.80
Remediation & Mitigation
0/5
Do now
0/1SIPROTEC 5 7SA82 (CP100)
WORKAROUNDFor devices where no firmware fix is available (6MD89, 7SA82/CP100, 7SD82/CP100, 7SJ81/CP100, 7SJ82/CP100, 7SK82/CP100, 7SL82/CP100, 7ST85, 7UT82/CP100), restrict network access to the web server using firewall rules or network segmentation to allow only engineering workstations with a defined IP range
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
SIPROTEC 5 7SA82 (CP100)
HOTFIXUpdate SIPROTEC 5 devices running firmware versions prior to 9.80 (or 8.90 for CP100 models) to the latest patched firmware version
All products
HARDENINGEnforce strong passwords and consider implementing multi-factor authentication or certificate-based authentication for web server access if the product supports it
HARDENINGRestrict web server access to engineering workstations only; disable remote access unless absolutely required for operations
Long-term hardening
0/1HARDENINGImplement network segmentation to isolate SIPROTEC 5 protection relays from untrusted networks and the internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0142a2f0-ea4e-4544-bad0-444ce09b42ed