OTPulse

Siemens SIPROTEC 5

MonitorCVSS 6.8ICS-CERT ICSA-25-044-04Feb 11, 2025
Siemens
Attack path
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIPROTEC 5 protection relays contain an unauthenticated development shell accessible via a physical interface on the device. An attacker with physical access can connect to this shell and execute arbitrary commands on the relay firmware without requiring credentials. This affects multiple SIPROTEC 5 relay models and variants across different processor modules (CP050, CP100, CP150, CP200, CP300). Siemens has released firmware updates for relays with CP300, CP150, and CP050 modules, but states no fix is planned for CP200 variants and no fix is currently available for certain CP100 and CP300 models. The vulnerability is classified as CWE-489 (Service Exposure of Unsafe Function).

What this means
What could happen
An attacker with physical access to a SIPROTEC 5 relay could run arbitrary commands, potentially altering protective relay settings, disabling protection schemes, or disrupting power distribution operations.
Who's at risk
Electric utilities and power system operators responsible for protection relays. Affects Siemens SIPROTEC 5 series protection relays used in power distribution, transmission, and renewable energy facilities. Models include multifunction line protection relays (7SA, 7SD, 7SJ, 7SK, 7SL, 7SS, 7ST, 7UT, 7VE, 7VK), current differential relays (6MD, 6MU), and compact relays (7SX800). Any utility or industrial facility relying on these relays for protection scheme integrity should assess their device inventory.
How it could be exploited
An attacker connects to the development shell interface (typically a serial or local physical port) on the SIPROTEC 5 device. The shell lacks authentication, allowing the attacker to execute arbitrary commands directly on the protection relay's firmware.
Prerequisites
  • Physical access to the SIPROTEC 5 device or its management port
  • No credentials or authentication required
Physical access requiredNo authentication requiredNo patch available for CP200 variantsAffects critical power grid protection systemsLow exploitation complexity
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (61)
43 with fix18 pending
ProductAffected VersionsFix Status
SIPROTEC 5 6MD84 (CP300)< 9.909.90
SIPROTEC 5 6MD85 (CP200)All versionsNo fix yet
SIPROTEC 5 6MD85 (CP300)< 9.909.90
SIPROTEC 5 6MD86 (CP200)All versionsNo fix yet
SIPROTEC 5 6MD86 (CP300)< 9.909.90
Remediation & Mitigation
0/8
Do now
0/2
SIPROTEC 5 6MD85 (CP200)
WORKAROUNDFor SIPROTEC 5 products with CP200 modules (6MD85, 6MD86, 7KE85, 7SA86, 7SA87, 7SD86, 7SD87, 7SJ85, 7SJ86, 7SK85, 7SL86, 7SL87, 7SS85, 7ST85, 7UT85, 7UT86, 7UT87, 7VK87) where no fix is planned, maintain strict physical access controls and consider network-based monitoring or replacement planning.
All products
HARDENINGRestrict physical access to SIPROTEC 5 devices to authorized personnel only. Limit access to device ports and interfaces.
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

SIPROTEC 5 6MD84 (CP300)
HOTFIXUpdate SIPROTEC 5 6MD84, 6MD85, 6MD86, 6MD89, 6MU85 (CP300), 7SA86, 7SA87, 7SD86, 7SD87, 7SJ85, 7SJ86, 7SK85, 7SL86, 7SL87, 7SS85, 7SX85, 7UM85, 7UT85, 7UT86, 7UT87, 7VE85, 7VK87, 7VU85 devices to firmware version 9.90 or later.
HOTFIXUpdate SIPROTEC 5 7KE85 (CP300) and 7ST85, 7ST86 (CP300) to firmware version 10.0 or later.
SIPROTEC 5 7SA82 (CP100)
HOTFIXUpdate SIPROTEC 5 7SA82, 7SD82, 7SJ81, 7SJ82, 7SK82, 7SL82 (CP100 models) and 7SA82, 7SD82, 7SJ81, 7SJ82, 7SK82, 7SL82, 7SX82, 7SY82, 7UT82 (CP150 models) to firmware version 9.90 or later.
SIPROTEC 5 Compact 7SX800 (CP050)
HOTFIXUpdate SIPROTEC 5 Compact 7SX800 (CP050) to firmware version 9.90 or later.
Long-term hardening
0/2
HARDENINGVerify implementation of redundant protection schemes and secondary protection systems in power grid design to ensure operational resilience if a relay is compromised.
HARDENINGImplement network segmentation and firewall rules to limit management and firmware update access to SIPROTEC 5 devices from authorized engineering workstations only.
View full CISA ICS-CERT advisory
API: /api/v1/advisories/e419ec60-0086-4b74-bb19-21682dfdcfb1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens SIPROTEC 5 | CVSS 6.8 - OTPulse