Siemens SICAM P850 family and SICAM P855 family
Monitor5.5ICS-CERT ICSA-25-317-11Nov 13, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary
Two vulnerabilities in Siemens SICAM P850 and P855 power distribution and substation automation controllers: CVE-2023-30901 (Cross-Site Request Forgery) and CVE-2023-31238 (authentication/access control bypass on port 443). Both allow an attacker to perform actions as an authenticated user or impersonate that user if the attacker can trick a logged-in user into clicking a malicious link or if the attacker gains network access to the HTTPS management port. The vulnerabilities affect all versions before firmware 3.11. No patch has been released by Siemens; these products are end-of-life.
What this means
What could happen
An attacker with network access and legitimate user credentials could perform actions on the device in that user's name or impersonate that user, potentially modifying device configurations or operations. This could affect power distribution or substation automation controlled by the SICAM platform.
Who's at risk
Electric utilities and power distribution operators using Siemens SICAM P850 and P855 platforms for substation automation, protection, or control. These devices are the decision-making core in many substations and control centers, so compromise could affect grid operations or protection functions.
How it could be exploited
An attacker would need to trick a logged-in user into clicking a malicious link (CVE-2023-30901) or gain network access to port 443/tcp to exploit CSRF/authentication bypass vulnerabilities (CVE-2023-31238). Once authenticated, the attacker can issue commands as that user or assume their identity.
Prerequisites
- Valid credentials for a legitimate user (or ability to harvest them)
- User must be actively logged in to the SICAM device web interface
- Network access to port 443/tcp (HTTPS)
- For CVE-2023-30901: User must click a malicious link while logged in; for CVE-2023-31238: direct network reach to the device port
No vendor patch available (end-of-life status)Requires user interaction (clicking link) or network access to authenticated portAffects authentication and authorization (CSRF, impersonation)Medium complexity exploitationLow to medium CVSS score (5.5)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (36)
36 EOL
ProductAffected VersionsFix Status
SICAM P850 (7KG8501-0AA02-2AA0): <3.11<3.11No fix (EOL)
SICAM P850 (7KG8501-0AA11-0AA0): <3.11<3.11No fix (EOL)
SICAM P850 (7KG8501-0AA11-2AA0): <3.11<3.11No fix (EOL)
SICAM P850 (7KG8501-0AA12-0AA0): <3.11<3.11No fix (EOL)
SICAM P850 (7KG8501-0AA12-2AA0): <3.11<3.11No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDRestrict network access to port 443/tcp to trusted IP addresses only using firewall rules
HARDENINGEducate users not to click links in untrusted sources or unsolicited email while logged into SICAM devices
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate to SICAM P850/P855 firmware version 3.11 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SICAM P850 (7KG8501-0AA02-2AA0): <3.11, SICAM P850 (7KG8501-0AA11-0AA0): <3.11, SICAM P850 (7KG8501-0AA11-2AA0): <3.11, SICAM P850 (7KG8501-0AA12-0AA0): <3.11, SICAM P850 (7KG8501-0AA12-2AA0): <3.11, SICAM P850 (7KG8501-0AA31-0AA0): <3.11, SICAM P850 (7KG8501-0AA31-2AA0): <3.11, SICAM P850 (7KG8501-0AA32-0AA0): <3.11, SICAM P850 (7KG8501-0AA32-2AA0): <3.11, SICAM P850 (7KG8500-0AA00-2AA0): <3.11, SICAM P855 (7KG8551-0AA31-0AA0): <3.11, SICAM P855 (7KG8551-0AA31-2AA0): <3.11, SICAM P855 (7KG8551-0AA32-0AA0): <3.11, SICAM P855 (7KG8551-0AA32-2AA0): <3.11, SICAM P855 (7KG8550-0AA30-2AA0): <3.11, SICAM P850 (7KG8500-0AA00-0AA0): <3.11, SICAM P850 (7KG8500-0AA10-0AA0): <3.11, SICAM P850 (7KG8500-0AA10-2AA0): <3.11, SICAM P850 (7KG8500-0AA30-0AA0): <3.11, SICAM P850 (7KG8500-0AA30-2AA0): <3.11, SICAM P850 (7KG8501-0AA01-0AA0): <3.11, SICAM P850 (7KG8501-0AA01-2AA0): <3.11, SICAM P850 (7KG8501-0AA02-0AA0): <3.11, SICAM P855 (7KG8551-0AA01-0AA0): <3.11, SICAM P855 (7KG8551-0AA01-2AA0): <3.11, SICAM P855 (7KG8551-0AA02-0AA0): <3.11, SICAM P855 (7KG8551-0AA02-2AA0): <3.11, SICAM P855 (7KG8551-0AA11-0AA0): <3.11, SICAM P855 (7KG8551-0AA11-2AA0): <3.11, SICAM P855 (7KG8551-0AA12-0AA0): <3.11, SICAM P855 (7KG8551-0AA12-2AA0): <3.11, SICAM P855 (7KG8550-0AA00-0AA0): <3.11, SICAM P855 (7KG8550-0AA00-2AA0): <3.11, SICAM P855 (7KG8550-0AA10-0AA0): <3.11, SICAM P855 (7KG8550-0AA10-2AA0): <3.11, SICAM P855 (7KG8550-0AA30-0AA0): <3.11. Apply the following compensating controls:
HARDENINGPlace SICAM devices behind firewalls and isolate them from the business network; do not expose them directly to the internet
HARDENINGRequire VPN access for any remote administration of SICAM devices
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b0c6fdf7-cb8a-47bc-9cbe-dd7314903e5f