Siemens SIPROTEC 4 and SIPROTEC 4 Compact

Plan Patch7.5ICS-CERT ICSA-25-226-12Aug 12, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIPROTEC 4 and SIPROTEC 4 Compact protective relays contain a vulnerability allowing unauthenticated remote attackers to cause denial of service by sending a specially crafted request. The affected device stops responding to subsequent requests. Siemens has released fixes for three models (7SA6, 7SD5, 7SD610 to v4.78) but has no fix planned for most other variants including the 6MD series, 7SA522, 7SJ61-66, 7SS52, 7ST6, 7UM61-62, 7UT63/612/613, 7VE6, 7VK61, 7VU683, and Compact models 7RW80, 7SD80, 7SJ80/81, 7SK80/81.

What this means

What could happen

An unauthenticated attacker on the network could send a crafted request to a SIPROTEC relay, causing it to stop responding. This would disable protection for the power system segment it monitors, potentially leaving transformers, transmission lines, or distribution equipment unprotected during faults.

Who's at risk

Electric utilities and substations using SIEMENS SIPROTEC 4 or SIPROTEC 4 Compact protective relays. These devices are used to protect transformers, transmission lines, and distribution circuits. Affected models include distance relays (7SA6, 7SD5, 7SD610, 7SA522), overcurrent/differential relays (7SJ and 7UT series), and feeder management relays (7RW80, 7SJ80/81, 7SK80/81). Any organization with these relays protecting critical grid assets should assess inventory.

How it could be exploited

An attacker with network access to the SIPROTEC relay (typically on the local substation network or via compromised internal network) can send a specially crafted remote request without needing a login. The request triggers a denial of service condition that causes the relay to become unresponsive to subsequent requests and stop monitoring.

Prerequisites

Network reachability to the SIPROTEC relay
No credentials required
Ability to send crafted packets to the relay's network port

Remotely exploitableNo authentication requiredLow complexityAffects safety and protection systemsNo fix available for majority of product variants

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (29)

3 with fix26 pending

ProductAffected VersionsFix Status

SIPROTEC 4 6MD61All versionsNo fix yet

SIPROTEC 4 6MD63All versionsNo fix yet

SIPROTEC 4 6MD66All versionsNo fix yet

SIPROTEC 4 6MD665All versionsNo fix yet

SIPROTEC 4 7SA6< 4.784.78

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGFor SIPROTEC 4 and Compact models without available fixes, implement network segmentation to isolate relay networks from general corporate networks and restrict access to engineer workstations only.

WORKAROUNDDeploy firewall rules to allow only necessary communication to SIPROTEC relays from authorized engineering and SCADA terminals; block all external internet access.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SIPROTEC 4 7SA6

HOTFIXUpdate SIPROTEC 4 7SA6, 7SD5, and 7SD610 to firmware version 4.78 or later.

Long-term hardening

0/1

HARDENINGFollow Siemens operational guidelines for industrial security and configure the SIPROTEC environment according to product manuals and Siemens security recommendations.

CVEs (1)

CVE-2024-52504

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4d0174b4-0f26-4f6f-8c8e-7c382b9f662d