Siemens Spectrum Power 4

Plan PatchCVSS 8.8ICS-CERT ICSA-25-317-12Nov 11, 2025

SiemensEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Siemens Spectrum Power 4 versions prior to 4.70 SP12 Update 2 contain multiple vulnerabilities (CWE-648, CWE-266, CWE-732, CWE-829) related to improper permission checks and insufficient input validation. Successful exploitation allows an attacker with valid application administrator credentials to remotely execute code with administrator privileges, or allows local execution as operating system administrator. The vulnerability affects all versions of Spectrum Power 4 below 4.70 SP12 Update 2.

What this means

What could happen

An attacker with network access and valid login credentials could execute code with administrator privileges on Spectrum Power 4, potentially altering power system configurations, disrupting grid operations, or gaining persistent control of the energy management platform.

Who's at risk

Energy utilities and operators responsible for power distribution and generation systems that use Siemens Spectrum Power 4 for energy management and grid control. This includes grid operators, transmission and distribution companies, and municipal electric utilities managing SCADA and power system automation.

How it could be exploited

An attacker obtains or reuses valid application administrator credentials (either through social engineering, credential compromise, or other means) and sends a crafted network request to the Spectrum Power 4 application. The application fails to properly validate the request due to improper permission checks, allowing the attacker to execute arbitrary code with administrator privileges on the server running Spectrum Power 4.

Prerequisites

Valid application administrator credentials for Spectrum Power 4
Network access to the Spectrum Power 4 application port/service
Spectrum Power 4 version prior to 4.70 SP12 Update 2

remotely exploitablerequires valid credentialsaffects energy critical infrastructurecode execution as administratorhigh CVSS score (8.8)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Spectrum Power 4All versions < V4.70 SP12 Update 24.70 SP12 Update 2

Spectrum Power 4: <V4.70_SP12_Update_2<V4.70 SP12 Update 24.70 SP12 Update 2

Remediation & Mitigation

0/5

Do now

0/2

Spectrum Power 4

WORKAROUNDRestrict network access to Spectrum Power 4 to authorized administrative workstations and management networks only

HARDENINGReview and enforce strong credential policies for all Spectrum Power 4 application administrator accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Spectrum Power 4

HOTFIXUpdate Spectrum Power 4 to version 4.70 SP12 Update 2 or later

Long-term hardening

0/2

Spectrum Power 4

HARDENINGSegment Spectrum Power 4 behind a firewall and isolate from direct internet access

HARDENINGIf remote access to Spectrum Power 4 is required, enforce VPN use with strong authentication and keep VPN software updated

CVEs (5)

CVE-2024-32008 CVE-2024-32009 CVE-2024-32010 CVE-2024-32011 CVE-2024-32014

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1ecad816-c711-4ee9-a6d3-81d3abd8e4b2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.