OTPulse

Siemens SIPROTEC and SICAM

Act NowCVSS 9ICS-CERT ICSA-25-135-05May 13, 2025
SiemensEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

CVE-2024-3596 ("Blastradius") is a RADIUS protocol vulnerability affecting SIPROTEC and SICAM authentication. An on-path attacker located between a SIPROTEC/SICAM device and its RADIUS authentication server can forge Access-Request and Access-Accept packets to bypass credential validation. This allows the attacker to gain network access and system authorization without knowing legitimate credentials, potentially enabling unauthorized control of protective relays and power management functions. Siemens has released patched versions for most affected products and recommends isolating RADIUS traffic to protected networks and configuring RADIUS servers to require Message-Authenticator attributes as interim mitigations.

What this means
What could happen
An attacker positioned between a SIPROTEC/SICAM device and its authentication server could intercept and forge RADIUS authentication messages, allowing them to bypass login credentials and gain unauthorized access to the device. This could allow them to modify protective relay settings, disable alarms, or alter power distribution commands.
Who's at risk
Electric utilities and power distribution operators using Siemens SIPROTEC protective relays and SICAM power management devices for generation, transmission, and distribution control should prioritize this vulnerability. SIPROTEC 5 relays (all variants across distance, overcurrent, and transformer protection) and SICAM central processing units are used to monitor and control grid operations; compromise could allow manipulation of critical protection functions.
How it could be exploited
The attacker must be on the network path between the affected device (acting as a RADIUS client) and the RADIUS authentication server. They intercept RADIUS Access-Request packets and craft fraudulent Access-Accept responses to trick the device into granting access without valid credentials. No legitimate credentials are needed.
Prerequisites
  • Network access to RADIUS traffic between the device and authentication server (man-in-the-middle position)
  • Device must be configured to use RADIUS authentication
  • RADIUS server must not require Message-Authenticator attribute in Access-Request packets
Remotely exploitableNo authentication required (attacker can bypass credentials)Low complexity attack (RADIUS packet forgery)High EPSS score (23.8%)Affects critical protective relay systemsOne product line has no patch available (Powerlink IP)
Exploitability
Likely to be exploited — EPSS score 19.0%
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (53)
52 with fix1 pending
ProductAffected VersionsFix Status
CPC80 Central Processing/Communication< 16.5116.51
CPCI85 Central Processing/Communication< 6.206.20
POWER METER SICAM Q100 family< 2.702.70
POWER METER SICAM Q200 family< 2.832.83
Powerlink IPAll versionsNo fix yet
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDConfigure RADIUS server to require Message-Authenticator attribute in all Access-Request packets from RADIUS client devices
HARDENINGRestrict network access to RADIUS traffic by isolating it to a dedicated management network or VLAN separate from untrusted networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

SICAM GridPass
HOTFIXUpdate affected SIPROTEC and SICAM products to the patched versions listed in the advisory (e.g., SIPROTEC 5 with CP300 to v10.0, SICAM Q100 to v2.70, SICAM GridPass to v2.50)
Long-term hardening
0/1
HARDENINGImplement network segmentation and access controls to prevent unauthorized devices from positioning themselves between SIPROTEC/SICAM devices and the RADIUS server
View full CISA ICS-CERT advisory
API: /api/v1/advisories/5090d914-e929-464c-aad4-486a43afed38

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.