Siemens SIPROTEC 5 Devices
Plan Patch7.5ICS-CERT ICSA-25-044-05Feb 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
An information disclosure vulnerability exists in SIPROTEC 5 devices where an unauthenticated remote attacker can retrieve sensitive device information via SNMP (Simple Network Management Protocol) without providing credentials. This affects multiple Siemens SIPROTEC 5 relay models (protection relays, measurement relays) and communication modules across versions 8.80 through 9.90 and earlier. Three models (7KE85, 7ST85, 7ST86) currently have no patch available. Siemens released firmware updates addressing this issue and recommends restricting SNMP access and disabling the service if unused.
What this means
What could happen
An attacker could retrieve sensitive device information such as system configuration, credentials, or network settings from SIPROTEC 5 relays and communication modules without authentication, potentially exposing data needed to plan further attacks on your power or substation equipment.
Who's at risk
Power utilities and substations operating SIPROTEC 5 relays and communication modules for protection, measurement, or monitoring functions. This affects protection relays (7SA/7SD/7SJ/7SK/7SL/7ST/7SX/7SY/7UT series), measurement relays (6MD/6MU series), and all communication modules (ETH-BA/ETH-BB/ETH-BD). Both field-mounted devices and compact relay controllers are affected.
How it could be exploited
An attacker sends SNMP queries (UDP port 161) to a SIPROTEC 5 device reachable from the network. Because no authentication is required, the device responds with sensitive information like system configuration, firmware version, and internal parameters that could aid in further attacks.
Prerequisites
- Network access to UDP port 161 (SNMP) on the affected device
- SNMP service must be enabled on the device (default configuration)
- Device must be reachable from attacker's network segment
remotely exploitableno authentication requiredlow complexityinformation disclosure could enable further attacksaffects critical protection and measurement equipment
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (48)
48 with fix
ProductAffected VersionsFix Status
SIPROTEC 5 6MD84 (CP300)< 9.909.90
SIPROTEC 5 6MD85 (CP300)≥ 8.80, < 9.909.90
SIPROTEC 5 6MD86 (CP300)≥ 8.80, < 9.909.90
SIPROTEC 5 6MD89 (CP300)≥ 8.80, < 9.909.90
SIPROTEC 5 6MD89 (CP300) V9.6x< 9.689.68
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDRestrict access to SNMP port 161/UDP to trusted IP addresses only using firewall rules
WORKAROUNDDisable SNMP service on communication modules if not required for operations
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all SIPROTEC 5 devices to the latest patched versions (9.90 for most models, 10.0 for 7KE85/7ST85/7ST86, 9.68 for V9.6x variants, 9.83 for V9.8x variants)
Long-term hardening
0/2HARDENINGSegment substation and relay networks from business networks using firewalls
HARDENINGDeploy device access behind VPN for remote management if required
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cbbb275b-1a4f-4632-91ca-bb201ccb119f