Siemens SIPROTEC 5

Low RiskCVSS 2.4ICS-CERT ICSA-25-226-10Aug 12, 2025

SiemensTransportation

Attack path

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIPROTEC 5 protective relay devices do not properly limit bandwidth for incoming network packets on their local USB port. An attacker with physical access could send specially crafted packets with high bandwidth to exhaust device memory, forcing the device to stop responding to network traffic via USB. The device automatically resets after the attack and the core protection function remains unaffected. Siemens has released version 10.0 and later to address this issue.

What this means

What could happen

An attacker with physical access to the USB port on an affected SIPROTEC 5 device could send specially crafted network packets to exhaust the device's memory, causing it to stop responding to traffic temporarily until it auto-resets. While the protection function remains operational, the device would be unavailable during the attack and reset cycle.

Who's at risk

This affects Siemens SIPROTEC 5 protective relay devices across multiple models (6MD, 7SA, 7SD, 7SJ, 7SK, 7SL, 7ST, 7SX, 7UM, 7UT, 7VE, 7VK, 7VU series and 7SX800 Compact). These devices are deployed in electrical substations and transmission systems to detect faults and protect power distribution networks. Any utility or industrial facility operating these relays should evaluate their devices against the affected product list.

How it could be exploited

An attacker with physical access to the local USB port sends specially crafted packets with high bandwidth to trigger a memory exhaustion condition, causing the device to become unresponsive and automatically reboot. Exploitation requires physical proximity to the device's USB port.

Prerequisites

Physical access to the local USB port on the affected device
Ability to send specially crafted network packets via USB

Physical access required for exploitationLow complexity attackCauses temporary denial of service via memory exhaustionAffects all versions below 10.0

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (36)

36 with fix

ProductAffected VersionsFix Status

SIPROTEC 5 6MD84 (CP300)< 10.010.0

SIPROTEC 5 6MD85 (CP300)≥ 7.80, < 10.010.0

SIPROTEC 5 6MD86 (CP300)≥ 7.80, < 10.010.0

SIPROTEC 5 6MD89 (CP300)≥ 7.80, < 10.010.0

SIPROTEC 5 6MU85 (CP300)≥ 7.80, < 10.010.0

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIPROTEC 5 devices (all affected models) to firmware version 10.0 or later

Long-term hardening

0/2

HARDENINGRestrict physical access to device USB ports in the substation or control room environment

HARDENINGPlace SIPROTEC 5 devices behind perimeter firewalls and isolate them from business networks

CVEs (1)

CVE-2025-40570

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a5ecc205-056a-4066-9045-b10e739b9a39

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.