Siemens SIPROTEC and SICAM

Act Now9ICS-CERT ICSA-25-135-05May 13, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

CVE-2024-3596 ("Blastradius") is a vulnerability in the RADIUS authentication protocol affecting Siemens SIPROTEC protective relays, SICAM power measurement and grid automation systems, CPC/CPCI central processors, and related products. An on-path attacker positioned between a RADIUS client device and the authentication server can forge RADIUS response packets to convert authentication rejections into acceptances, granting network access without valid credentials. This could allow an attacker to access and control protective relays, power meters, and grid automation systems that rely on RADIUS for network authentication. Siemens has released patched versions for most affected products and recommends immediate implementation of network segmentation for RADIUS traffic and configuration of Message-Authenticator attributes on the RADIUS server for products without available fixes.

What this means

What could happen

An attacker positioned between a SIPROTEC or SICAM device and its RADIUS authentication server could forge authentication responses to gain network access without valid credentials, potentially allowing unauthorized control of protective relays, power meters, and grid automation systems.

Who's at risk

Electric utilities and grid operators using Siemens SIPROTEC protective relays, SICAM power meter systems, SICAM GridPass, or CPC/CPCI central processing/communication modules for distribution and transmission automation. This affects all major Siemens protection and automation devices used in substations and grid control centers.

How it could be exploited

The attacker must be on the network path between the RADIUS client (e.g., a SICAM device) and the RADIUS server. They intercept RADIUS Access-Request packets, modify the server response to change "Access-Reject" to "Access-Accept", and the affected device grants network access with the attacker's desired privileges without requiring valid credentials.

Prerequisites

Network position between RADIUS client and server (on-path attacker)
RADIUS protocol in use for device authentication
Access to RADIUS traffic (same network segment or compromised network infrastructure)
Target device running vulnerable firmware version

remotely exploitable via network pathno authentication credentials required for exploitationaffects critical protection relays that control power flow and grid stabilityPowerlink IP has no fix availablehigh CVSS score (9.0) indicating severe impact

Exploitability

High exploit probability (EPSS 23.8%)

Affected products (53)

52 with fix1 pending

ProductAffected VersionsFix Status

CPC80 Central Processing/Communication< 16.5116.51

CPCI85 Central Processing/Communication< 6.206.20

POWER METER SICAM Q100 family< 2.702.70

POWER METER SICAM Q200 family< 2.832.83

Powerlink IPAll versionsNo fix yet

Remediation & Mitigation

0/19

Do now

0/2

WORKAROUNDRestrict RADIUS traffic to a dedicated management network or VLAN, isolating it from general operational network segments

WORKAROUNDConfigure RADIUS server to require Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it

Schedule — requires maintenance window

0/15

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

HARDENINGImplement network segmentation to protect device access using firewalls and access control lists

HARDENINGReview and apply Siemens operational guidelines for industrial security and device manual recommendations for protected IT environment configuration

CVEs (1)

CVE-2024-3596

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close