Siemens SIPROTEC 4 and SIPROTEC 4 Compact

Plan PatchCVSS 7.5ICS-CERT ICSA-25-226-12Aug 12, 2025

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIPROTEC 4 and SIPROTEC 4 Compact protective relays contain a vulnerability (CWE-754) that allows an unauthenticated remote attacker to cause a denial of service condition. The devices can become unresponsive or crash when receiving specially crafted requests. Siemens has released patches for three product lines (7SA6, 7SD5, 7SD610 to version 4.78), but has no fix planned for the remaining 25 affected models. For unpatched devices, Siemens recommends network access controls and isolation behind firewalls as compensating controls.

What this means

What could happen

An unauthenticated remote attacker can cause a denial of service on affected SIPROTEC 4 protective relays, potentially disrupting power grid protection functions and causing loss of electrical service to customers.

Who's at risk

Electric utilities and power distributors operating Siemens SIPROTEC 4 and SIPROTEC 4 Compact protective relays. These devices protect electrical circuits and equipment in substations and generating plants. Most affected products have no patch available, making network isolation critical for utilities of all sizes.

How it could be exploited

An attacker with network access to the device can send a specially crafted unauthenticated request to trigger a denial of service condition, causing the protective relay to become unresponsive or crash and reboot.

Prerequisites

Network access to the SIPROTEC device from an untrusted network segment
No authentication required

remotely exploitableno authentication requiredlow complexityno patch available for majority of modelsaffects safety-critical protection equipmenthigh impact on electrical grid operations

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (29)

3 with fix26 pending

ProductAffected VersionsFix Status

SIPROTEC 4 6MD61All versionsNo fix yet

SIPROTEC 4 6MD63All versionsNo fix yet

SIPROTEC 4 6MD66All versionsNo fix yet

SIPROTEC 4 6MD665All versionsNo fix yet

SIPROTEC 4 7SA6< 4.784.78

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGImplement network segmentation to restrict access to SIPROTEC 4 devices from untrusted networks; ensure devices are not reachable from the internet or business networks

WORKAROUNDDeploy firewall rules to allow only authorized management and communications to SIPROTEC 4 devices on required industrial protocols (e.g., GOOSE, MMS)

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

SIPROTEC 4 7SA6

HOTFIXUpdate SIPROTEC 4 7SA6 to version 4.78 or later

SIPROTEC 4 7SD5

HOTFIXUpdate SIPROTEC 4 7SD5 to version 4.78 or later

SIPROTEC 4 7SD610

HOTFIXUpdate SIPROTEC 4 7SD610 to version 4.78 or later

Long-term hardening

0/1

HARDENINGIsolate SIPROTEC 4 devices behind firewalls with restricted inbound access; monitor network traffic for unauthorized connection attempts

CVEs (1)

CVE-2024-52504

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4d0174b4-0f26-4f6f-8c8e-7c382b9f662d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.