Siemens Energy Services

Act Now9.9ICS-CERT ICSA-25-162-06Jun 10, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens Energy Services solutions using the Elspec G5 Digital Fault Recorder contain default credentials with administrative privileges. The G5DFR is used to record and analyze electrical faults on power systems. If a client configuration enables remote access and default credentials are not changed, an attacker with network reachability to the device can log in, gain admin control, and modify fault recording outputs or device parameters. This could allow tampering with power system monitoring data, masking failures, or interfering with grid protection operations.

What this means

What could happen

An attacker with network access to the Elspec G5 Digital Fault Recorder could use default credentials to gain administrative control, alter fault recording outputs, or tamper with power system monitoring data. This could mask equipment failures, mislead operators, or interfere with grid protection decisions.

Who's at risk

This affects electric utilities and energy operators that deploy Siemens Energy Services with Elspec G5 Digital Fault Recorder equipment. Fault recorders are critical for analyzing grid disturbances, protecting transformers and transmission lines, and investigating outages. Any organization with remote monitoring or troubleshooting capabilities is at higher risk.

How it could be exploited

An attacker discovers the device is reachable from the network (especially if remote access is configured). They log in using publicly known default credentials to the web interface. Once authenticated with admin privileges, they can modify device settings, outputs, or operational parameters.

Prerequisites

Network access to the G5DFR web interface (typically HTTP/HTTPS port)
Device must be reachable from attacker's network position (e.g., internet-facing or accessible from compromised internal host)
Default credentials have not been changed from factory settings
Remote access feature must be enabled (if attacking from outside the local network)

remotely exploitableno authentication required (default credentials)low complexityno patch availableaffects critical infrastructure operationsaffects power system protection and monitoring

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Energy ServicesAll versionsNo fix yet

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDUse the G5DFR web interface to change all default usernames and passwords immediately, and set appropriate permission levels for each account

HARDENINGDisable or restrict remote access to the G5DFR web interface unless explicitly required for operations

HARDENINGPlace the G5DFR and Energy Services infrastructure behind a firewall with ingress rules blocking unauthorized access

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGIsolate the fault recorder and Energy Services systems from business networks and ensure they are not directly accessible from the internet

HARDENINGIf remote access is required, implement a VPN with strong authentication (multi-factor if available) and keep VPN software patched

HARDENINGReview and enforce role-based access control: assign minimum necessary privileges to users and service accounts

CVEs (1)

CVE-2025-40585

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5b1355c8-c556-4778-9866-097aa5456796