Siemens SICAM P850 family and SICAM P855 family

MonitorCVSS 5.5ICS-CERT ICSA-25-317-11Dec 12, 2023

SiemensEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

Two vulnerabilities in Siemens SICAM P850 and P855 power distribution and substation automation controllers: CVE-2023-30901 (Cross-Site Request Forgery) and CVE-2023-31238 (authentication/access control bypass on port 443). Both allow an attacker to perform actions as an authenticated user or impersonate that user if the attacker can trick a logged-in user into clicking a malicious link or if the attacker gains network access to the HTTPS management port. The vulnerabilities affect all versions before firmware 3.11. No patch has been released by Siemens; these products are end-of-life.

What this means

What could happen

An attacker with network access and legitimate user credentials could perform actions on the device in that user's name or impersonate that user, potentially modifying device configurations or operations. This could affect power distribution or substation automation controlled by the SICAM platform.

Who's at risk

Electric utilities and power distribution operators using Siemens SICAM P850 and P855 platforms for substation automation, protection, or control. These devices are the decision-making core in many substations and control centers, so compromise could affect grid operations or protection functions.

How it could be exploited

An attacker would need to trick a logged-in user into clicking a malicious link (CVE-2023-30901) or gain network access to port 443/tcp to exploit CSRF/authentication bypass vulnerabilities (CVE-2023-31238). Once authenticated, the attacker can issue commands as that user or assume their identity.

Prerequisites

Valid credentials for a legitimate user (or ability to harvest them)
User must be actively logged in to the SICAM device web interface
Network access to port 443/tcp (HTTPS)
For CVE-2023-30901: User must click a malicious link while logged in; for CVE-2023-31238: direct network reach to the device port

No vendor patch available (end-of-life status)Requires user interaction (clicking link) or network access to authenticated portAffects authentication and authorization (CSRF, impersonation)Medium complexity exploitationLow to medium CVSS score (5.5)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (39)

3 with fix36 EOL

ProductAffected VersionsFix Status

POWER METER SICAM Q100<V2.602.60

SICAM P850< 3.113.11

SICAM P855< 3.113.11

SICAM P850 (7KG8501-0AA02-2AA0): <3.11<3.11No fix (EOL)

SICAM P850 (7KG8501-0AA11-0AA0): <3.11<3.11No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to port 443/tcp to trusted IP addresses only using firewall rules

HARDENINGEducate users not to click links in untrusted sources or unsolicited email while logged into SICAM devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SICAM P850

HOTFIXUpdate to SICAM P850/P855 firmware version 3.11 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SICAM P850 (7KG8501-0AA02-2AA0): <3.11, SICAM P850 (7KG8501-0AA11-0AA0): <3.11, SICAM P850 (7KG8501-0AA11-2AA0): <3.11, SICAM P850 (7KG8501-0AA12-0AA0): <3.11, SICAM P850 (7KG8501-0AA12-2AA0): <3.11, SICAM P850 (7KG8501-0AA31-0AA0): <3.11, SICAM P850 (7KG8501-0AA31-2AA0): <3.11, SICAM P850 (7KG8501-0AA32-0AA0): <3.11, SICAM P850 (7KG8501-0AA32-2AA0): <3.11, SICAM P850 (7KG8500-0AA00-2AA0): <3.11, SICAM P855 (7KG8551-0AA31-0AA0): <3.11, SICAM P855 (7KG8551-0AA31-2AA0): <3.11, SICAM P855 (7KG8551-0AA32-0AA0): <3.11, SICAM P855 (7KG8551-0AA32-2AA0): <3.11, SICAM P855 (7KG8550-0AA30-2AA0): <3.11, SICAM P850 (7KG8500-0AA00-0AA0): <3.11, SICAM P850 (7KG8500-0AA10-0AA0): <3.11, SICAM P850 (7KG8500-0AA10-2AA0): <3.11, SICAM P850 (7KG8500-0AA30-0AA0): <3.11, SICAM P850 (7KG8500-0AA30-2AA0): <3.11, SICAM P850 (7KG8501-0AA01-0AA0): <3.11, SICAM P850 (7KG8501-0AA01-2AA0): <3.11, SICAM P850 (7KG8501-0AA02-0AA0): <3.11, SICAM P855 (7KG8551-0AA01-0AA0): <3.11, SICAM P855 (7KG8551-0AA01-2AA0): <3.11, SICAM P855 (7KG8551-0AA02-0AA0): <3.11, SICAM P855 (7KG8551-0AA02-2AA0): <3.11, SICAM P855 (7KG8551-0AA11-0AA0): <3.11, SICAM P855 (7KG8551-0AA11-2AA0): <3.11, SICAM P855 (7KG8551-0AA12-0AA0): <3.11, SICAM P855 (7KG8551-0AA12-2AA0): <3.11, SICAM P855 (7KG8550-0AA00-0AA0): <3.11, SICAM P855 (7KG8550-0AA00-2AA0): <3.11, SICAM P855 (7KG8550-0AA10-0AA0): <3.11, SICAM P855 (7KG8550-0AA10-2AA0): <3.11, SICAM P855 (7KG8550-0AA30-0AA0): <3.11. Apply the following compensating controls:

HARDENINGPlace SICAM devices behind firewalls and isolate them from the business network; do not expose them directly to the internet

HARDENINGRequire VPN access for any remote administration of SICAM devices

CVEs (2)

CVE-2023-30901 CVE-2023-31238

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b0c6fdf7-cb8a-47bc-9cbe-dd7314903e5f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.