Siemens SIPROTEC 5

Monitor6.8ICS-CERT ICSA-25-044-04Feb 11, 2025

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIPROTEC 5 protective relays contain an accessible development shell via physical interface (console/serial port) that is not properly restricted. An unauthenticated attacker with physical access can execute arbitrary commands on the device. This affects numerous SIPROTEC 5 relay models across multiple processor types (CP100, CP150, CP200, CP300, Compact CP050). Siemens has released firmware updates for most CP300, CP150, and CP100 variants to version 8.90, 9.90, or 10.0. However, no fixes are available for any CP200 variants, and several other models have no current patches. For unpatched products, Siemens recommends restricting physical access to authorized personnel and implementing appropriate environmental controls.

What this means

What could happen

An attacker with physical access to a SIPROTEC 5 relay could execute arbitrary commands on the device, potentially altering protection logic, disabling alarms, or disrupting power grid operations.

Who's at risk

Operators of electrical distribution and transmission systems, substations, and critical power infrastructure using Siemens SIPROTEC 5 protective relays (various model lines including 6MD, 6MU, 7SA, 7SD, 7SJ, 7SK, 7SL, 7SM, 7SS, 7ST, 7SX, 7SY, 7UT, 7VE, 7VK, 7VU series with CP100, CP150, CP200, CP300, and Compact CP050 control processors).

How it could be exploited

An attacker gains physical access to the device's interface, connects a terminal or serial interface, and accesses an unrestricted development shell to run commands that modify firmware, disable protections, or alter operating parameters.

Prerequisites

Physical access to the device's console or serial/debug interface
No authentication required to access the development shell

Requires physical access only, no authentication neededAffects protective relays that control critical power grid operationsNo patch available for CP200 variants of many modelsCould compromise grid stability and protection schemes

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (61)

43 with fix18 pending

ProductAffected VersionsFix Status

SIPROTEC 5 6MD84 (CP300)< 9.909.90

SIPROTEC 5 6MD85 (CP200)All versionsNo fix yet

SIPROTEC 5 6MD85 (CP300)< 9.909.90

SIPROTEC 5 6MD86 (CP200)All versionsNo fix yet

SIPROTEC 5 6MD86 (CP300)< 9.909.90

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict physical access to all SIPROTEC 5 relays to authorized personnel only; implement controlled access to device cabinet and interfaces

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SIPROTEC 5 6MD84 (CP300)

HOTFIXUpgrade SIPROTEC 5 devices to patched firmware versions: CP100 models to v8.90, CP150 models and Compact 7SX800 to v9.90, CP300 models to v9.90 or v10.0 (7KE85, 7ST85, 7ST86)

Long-term hardening

0/1

HARDENINGImplement environmental controls such as locked enclosures, badge readers, or surveillance for relay installations in unmanned locations

CVEs (1)

CVE-2024-53648

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e419ec60-0086-4b74-bb19-21682dfdcfb1