Siemens Energy Services

Plan PatchCVSS 9.9ICS-CERT ICSA-25-162-06Jun 10, 2025

SiemensEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens Energy Services solutions using the Elspec G5 Digital Fault Recorder contain hardcoded default credentials with admin privileges. The G5DFR component allows an attacker with network access to log in using these credentials and gain remote control, enabling tampering with fault recording outputs and potentially affecting grid stability data used in operational decisions. All versions are affected. Siemens has not released a firmware patch; remediation requires manual credential changes and network isolation.

What this means

What could happen

An attacker with network access to the G5 Digital Fault Recorder could log in using default credentials and modify fault recorder outputs or tamper with recorded grid fault data, potentially affecting grid stability assessment and control system response during incidents.

Who's at risk

Energy utilities and grid operators using Siemens Energy Services with G5 Digital Fault Recorder components for grid monitoring and fault analysis. This affects organizations that have deployed Elspec G5DFR devices for power quality monitoring and grid event recording.

How it could be exploited

An attacker reaches the web interface of the G5DFR component (typically port 80/443) either from the Internet if remote access is enabled, or from a compromised internal network. The attacker logs in with default admin credentials and gains full control to modify outputs and recorded fault data.

Prerequisites

Network access to G5DFR web interface (TCP ports 80/443)
Remote access enabled on the device (not required if attacker is already inside the network)
Default credentials have not been changed

remotely exploitableno authentication required (uses default credentials)low complexityaffects critical grid infrastructureno patch availabledefault credentials

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Energy ServicesAll versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDChange all default usernames and passwords on the G5DFR web interface and set appropriate permission levels

HARDENINGRestrict network access to G5DFR web interface from the Internet; if remote access is required, use a VPN with separate authentication

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIsolate Energy Services systems from business networks using firewalls and network segmentation

WORKAROUNDContact Siemens customer support to validate current configuration and confirm all credentials have been changed from factory defaults

CVEs (1)

CVE-2025-40585

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5b1355c8-c556-4778-9866-097aa5456796

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.