Siemens SICAM Q100/Q200

MonitorCVSS 6.2ICS-CERT ICSA-25-226-16Aug 12, 2025

SiemensEnergy

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SICAM Q100 (versions 2.60–2.61) and SICAM Q200 (versions 2.70–2.79) power meters contain two information disclosure vulnerabilities allowing an authenticated local attacker to extract the SMTP account password. The attacker could then use the configured mail service to send unauthorized emails. Siemens has released patched versions (Q100 v2.62+, Q200 v2.80+). These vulnerabilities are not remotely exploitable.

What this means

What could happen

An authenticated local attacker could extract the SMTP account password stored on the device and use it to send unauthorized emails through your configured mail server, potentially for credential phishing or impersonation.

Who's at risk

Power utilities and energy operators managing SICAM Q100 and Q200 power meters. Anyone responsible for metering infrastructure should verify their device firmware versions and ensure these meters are not accessible from untrusted networks.

How it could be exploited

An attacker with local access to the device (physical or via maintenance session) and basic authentication can view unencrypted or insufficiently protected SMTP credentials in device memory or configuration storage, then use those credentials to send mail.

Prerequisites

Local access to the device (physical console or authorized maintenance workstation)
Valid user credentials to authenticate to the device interface

no authentication required for exploitation on some access pathsaffects credential storage (SMTP password)low complexity attacklocal access required (reduces immediate risk)

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

POWER METER SICAM Q100≥ 2.60, < 2.622.62

POWER METER SICAM Q200 family≥ 2.70, < 2.802.80

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict local and network access to SICAM Q100/Q200 devices to authorized maintenance personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

POWER METER SICAM Q100

HOTFIXUpdate POWER METER SICAM Q100 to firmware version 2.62 or later

POWER METER SICAM Q200 family

HOTFIXUpdate POWER METER SICAM Q200 family to firmware version 2.80 or later

Long-term hardening

0/2

HARDENINGPlace SICAM Q100/Q200 devices behind a firewall and isolate them from business networks

HARDENINGImplement role-based access controls to limit which staff can access device authentication interfaces

CVEs (2)

CVE-2025-40752 CVE-2025-40753

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/db4b8af4-4b05-4ee1-bd92-4a39e523c6c6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.