Siemens SIPROTEC 5

Low Risk2.4ICS-CERT ICSA-25-226-10Aug 12, 2025

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIPROTEC 5 protection relays do not properly limit the bandwidth for incoming network packets over their local USB port. An attacker with physical access could send specially crafted packets with high bandwidth, causing the device to exhaust memory and stop responding to network traffic via USB. The affected device automatically resets after the attack, and the protection function is not affected. Siemens has released firmware version 10.0 or later for all affected models.

What this means

What could happen

An attacker with physical USB access to a SIPROTEC 5 relay could send specially crafted high-bandwidth packets to exhaust device memory, causing the relay to stop responding to network traffic and requiring an automatic restart. The protection function itself is not affected.

Who's at risk

Power transmission and distribution operators who manage Siemens SIPROTEC 5 protection relays (models 6MD84, 6MD85, 6MD86, 6MD89, 6MU85, 7KE85, 7SA82, 7SA86, 7SA87, 7SD82, 7SD86, 7SD87, 7SJ81, 7SJ82, 7SJ85, 7SJ86, 7SK82, 7SK85, 7SL82, 7SL86, 7SL87, 7SS85, 7ST85, 7ST86, 7SX82, 7SX85, 7SX800, 7SY82, 7UM85, 7UT82, 7UT85, 7UT86, 7UT87, 7VE85, 7VK87, 7VU85) running firmware versions before 10.0 should be concerned about this vulnerability.

How it could be exploited

An attacker with direct physical access to the USB port on a SIPROTEC 5 relay sends specially crafted network packets with high bandwidth to the device. The device fails to properly limit incoming packet bandwidth over USB, leading to memory exhaustion. The device becomes unresponsive and automatically resets.

Prerequisites

Physical access to the USB port on the SIPROTEC 5 device
Ability to connect a device or cable to the USB port

requires physical access (low operational risk)affects availability of relay communicationsno authentication required for USB accesslow complexity exploitationall affected models have vendor fix available

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (36)

36 with fix

ProductAffected VersionsFix Status

SIPROTEC 5 6MD84 (CP300)< 10.010.0

SIPROTEC 5 6MD85 (CP300)≥ 7.80, < 10.010.0

SIPROTEC 5 6MD86 (CP300)≥ 7.80, < 10.010.0

SIPROTEC 5 6MD89 (CP300)≥ 7.80, < 10.010.0

SIPROTEC 5 6MU85 (CP300)≥ 7.80, < 10.010.0

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict physical access to USB ports on SIPROTEC 5 devices through enclosure design or physical locks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIPROTEC 5 devices to firmware version 10.0 or later

Long-term hardening

0/1

HARDENINGIsolate SIPROTEC 5 devices from business networks and place behind firewalls

CVEs (1)

CVE-2025-40570

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a5ecc205-056a-4066-9045-b10e739b9a39