Siemens SIPROTEC 5

Monitor5.3ICS-CERT ICSA-25-191-06Jul 8, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

A sensitive data exposure vulnerability in SIPROTEC 5 protection relays can allow an attacker to retrieve sensitive session data from browser history, logs, or other storage mechanisms, potentially leading to unauthorized access to the device. Siemens is preparing fix versions and recommends countermeasures including network segmentation, firewall protection, and implementation of redundant secondary protection schemes. Operators should validate security updates before deployment and ensure devices are configured according to Siemens operational guidelines in a protected IT environment.

What this means

What could happen

An attacker who gains network access to a SIPROTEC 5 device can retrieve sensitive session data from browser history, logs, or storage mechanisms, potentially enabling unauthorized access to the protection relay or control of critical power infrastructure.

Who's at risk

Operators of electric power systems (transmission operators, distribution operators) using any version of Siemens SIPROTEC 5 protection relays (6MD, 6MU, 7KE, 7SA, 7SD, 7SJ, 7SK, 7SL, 7SS, 7ST, 7SX, 7SY, 7UM, 7UT, 7VE, 7VK, 7VU models) in substations. This affects both compact and standard configurations on CP050, CP100, CP150, and CP300 platforms.

How it could be exploited

An attacker on the same network or with network access to the device can retrieve sensitive session information (credentials, session tokens, or configuration data) stored in browser history, logs, or other accessible storage on the SIPROTEC 5 web interface or engineering station. This data could then be used to gain unauthorized access to the device or related systems.

Prerequisites

Network access to the SIPROTEC 5 device or engineering workstation
Ability to access browser history, logs, or local storage on the affected system
No authentication required to retrieve the sensitive data from storage

No patch availableRemotely exploitableSensitive data exposureAffects power grid protection systemsAffects safety-critical infrastructure

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (44)

44 pending

ProductAffected VersionsFix Status

SIPROTEC 5 6MD84 (CP300)All versionsNo fix yet

SIPROTEC 5 6MD85 (CP300)All versionsNo fix yet

SIPROTEC 5 6MD86 (CP300)All versionsNo fix yet

SIPROTEC 5 6MD89 (CP300)All versionsNo fix yet

SIPROTEC 5 6MD89 (CP300) V9.6All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to SIPROTEC 5 devices using firewall rules that only allow connections from authorized engineering workstations and control centers

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply security updates from Siemens when available using validated procedures and trained staff supervision

Long-term hardening

0/3

HARDENINGSegment the SIPROTEC 5 devices on a protected network using firewalls and network isolation to limit access from untrusted networks

HARDENINGImplement redundant secondary protection schemes as recommended by regulatory requirements to minimize impact if a relay is compromised

HARDENINGConfigure devices according to Siemens operational guidelines at https://www.siemens.com/gridsecurity to run in a protected IT environment

CVEs (1)

CVE-2025-40742

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/efd204be-4ea2-4547-a04d-ac1e3ad256a5