Siemens SIPROTEC 5
MonitorCVSS 5.3ICS-CERT ICSA-25-191-06Jul 8, 2025
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary
A sensitive data exposure vulnerability in SIPROTEC 5 protective relay devices allows an attacker to retrieve sensitive session data from browser history, logs, or other storage mechanisms, potentially leading to unauthorized access. The vulnerability affects all versions of SIPROTEC 5 protective relays across multiple models (6MD, 6MU, 7KE, 7SA, 7SD, 7SJ, 7SK, 7SL, 7SS, 7ST, 7SX, 7SY, 7UM, 7UT, 7UE, 7VK, 7VU models with CP100, CP150, CP300, and CP050 processor modules). Siemens is preparing fix versions for affected products.
What this means
What could happen
An attacker could extract sensitive session data or credentials from a SIPROTEC 5 device, potentially gaining unauthorized access to the protective relay's management interface and modifying protection settings or control logic. This could compromise the reliability of electrical grid protection and enable unauthorized manipulation of power system operations.
Who's at risk
Power system operators and TSOs/DSOs worldwide who deploy SIPROTEC 5 protective relay devices for electrical grid protection. This includes utilities responsible for generation, transmission, and distribution protection schemes. Facilities using any of the SIPROTEC 5 models (6MD, 6MU, 7KE, 7SA, 7SD, 7SJ, 7SK, 7SL, 7SS, 7ST, 7SX, 7SY, 7UM, 7UT, 7VK, 7VU series) with CP100, CP150, CP300, or CP050 processor modules are affected.
How it could be exploited
An attacker with network access to the SIPROTEC 5 web interface could trigger the device to expose sensitive session data through browser history, cached logs, or local storage. The attacker could then use this exposed data (such as session tokens or credentials) to gain unauthorized access to the relay's configuration and control functions without needing to re-authenticate.
Prerequisites
- Network access to the SIPROTEC 5 web management interface (typically HTTP/HTTPS port 80/443)
- Ability to view or extract browser history, logs, or storage data from the affected device or a user's management workstation
No patch available (end-of-life products)Affects critical power grid protection devicesSensitive data exposureCould enable unauthorized access to protective relay configuration
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (44)
44 pending
ProductAffected VersionsFix Status
SIPROTEC 5 6MD84 (CP300)All versionsNo fix yet
SIPROTEC 5 6MD85 (CP300)All versionsNo fix yet
SIPROTEC 5 6MD86 (CP300)All versionsNo fix yet
SIPROTEC 5 6MD89 (CP300)All versionsNo fix yet
SIPROTEC 5 6MD89 (CP300) V9.6All versionsNo fix yet
Remediation & Mitigation
0/6
Do now
0/3HARDENINGRestrict network access to SIPROTEC 5 management interfaces using firewall rules; allow only authorized engineering and operations workstations
HARDENINGImplement network segmentation to isolate SIPROTEC 5 devices on a protected OT network with limited connectivity to untrusted networks
WORKAROUNDClear browser cache, history, and local storage on all engineering workstations used to manage SIPROTEC 5 devices after each session
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGEnsure that SIPROTEC 5 management access is restricted to authenticated users only; regularly audit access logs for unauthorized attempts
Long-term hardening
0/2HARDENINGDeploy VPN or jump-server architecture for remote access to SIPROTEC 5 management interfaces; do not allow direct Internet access
HARDENINGReview and verify multi-level redundant secondary protection schemes are in place per operational guidelines
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/efd204be-4ea2-4547-a04d-ac1e3ad256a5Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.