Siemens SIPROTEC 5 Devices

Plan PatchCVSS 7.5ICS-CERT ICSA-25-044-05Feb 11, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An unauthenticated information disclosure vulnerability in SIPROTEC 5 devices allows remote attackers to query and retrieve sensitive device information via SNMP without credentials. This affects protective relays and communication modules used in power substations. Siemens has released firmware updates (version 9.90 or later; version 10.0 for certain models) to fix the vulnerability. Organizations can immediately restrict SNMP access and disable the service if unused.

What this means

What could happen

An attacker can retrieve sensitive information from SIPROTEC 5 relay devices without needing a password, potentially exposing network topology, device configuration, and operational details that could be used to plan further attacks on your substation or utility control systems.

Who's at risk

This affects power utility operators running Siemens SIPROTEC 5 protective relays and communication modules in substations and distribution networks. The vulnerable models include distance relays (7SA, 7SD, 7SL, 7SJ, 7SK, 7SX, 7SY, 7UT, 7ST, 7VE, 7VK, 7VU), frequency relays (7KE85), voltage regulators (6MD, 6MU), and Ethernet communication modules (ETH-BA-2EL, ETH-BB-2FO, ETH-BD-2FO) used for SCADA integration and protection scheme coordination.

How it could be exploited

An attacker sends SNMP queries to port 161/UDP on a SIPROTEC 5 device. The device responds with sensitive information (community strings, configuration details, device status) without requiring authentication. The attacker can do this from any network that can reach the device.

Prerequisites

Network access to port 161/UDP on the affected SIPROTEC 5 device
SNMP service enabled on the device (default configuration)
Device running vulnerable firmware version

remotely exploitableno authentication requiredlow complexityaffects safety systemsinformation disclosure on critical infrastructure devices

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (48)

48 with fix

ProductAffected VersionsFix Status

SIPROTEC 5 6MD84 (CP300)< 9.909.90

SIPROTEC 5 6MD85 (CP300)≥ 8.80, < 9.909.90

SIPROTEC 5 6MD86 (CP300)≥ 8.80, < 9.909.90

SIPROTEC 5 6MD89 (CP300)≥ 8.80, < 9.909.90

SIPROTEC 5 6MD89 (CP300) V9.6x< 9.689.68

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDRestrict access to port 161/UDP to trusted IP addresses only using firewalls or access control lists

WORKAROUNDDisable the SNMP service on SIPROTEC 5 communication modules if SNMP monitoring is not required

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIPROTEC 5 devices to firmware version 9.90 or later (or version 10.0 for 7KE85, 7ST85, 7ST86 models as noted)

CVEs (1)

CVE-2024-54015

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cbbb275b-1a4f-4632-91ca-bb201ccb119f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.