OTPulse

Siemens SIPROTEC 5

MonitorCVSS 5.3ICS-CERT ICSA-26-134-13May 12, 2026
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIPROTEC 5 protective relays do not use sufficiently random numbers when generating session identifiers. This flaw allows an unauthenticated remote attacker on the network to predict valid session IDs and hijack an active user session, potentially gaining access to the relay's web interface to modify protection settings or disable alarms. The affected session identifiers are only used by specific endpoints in these devices. Products with CP300 and CP150 processors will be fixed in version 11.0. Products with CP100 processors (versions 7.80 and later) will not receive patches and require compensating network controls.

What this means
What could happen
An attacker on the network could predict session identifiers for SIPROTEC 5 protective relays and hijack a valid user session, potentially allowing them to access the relay's web interface to modify protection settings or disable alarms without authentication.
Who's at risk
This vulnerability affects operators of electric utilities and other critical infrastructure using Siemens SIPROTEC 5 protective relays and multi-function protection devices. Any organization running these relays for transmission line protection, generator protection, transformer protection, or other critical switching functions should assess their exposure. CP100-based models (mainly older 7-series protection relays) have no patch available and require network isolation controls.
How it could be exploited
An attacker on your network observes traffic to or from a SIPROTEC 5 device, learns the pattern of session identifiers (which are not sufficiently random), predicts a valid session ID, and uses it to make authenticated requests to the relay's web interface or API endpoints without having valid credentials.
Prerequisites
  • Network access to the SIPROTEC 5 device (port 80 or 443 for web interface)
  • Ability to observe or infer session identifier patterns from network traffic or responses
Remotely exploitableNo authentication required for session hijackingLow exploit complexityAffects protective relay systems (safety/critical infrastructure)No fix available for CP100-based models running firmware 7.80 or later
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (43)
36 with fix7 pending
ProductAffected VersionsFix Status
SIPROTEC 5 6MD84 (CP300)< 11.011.0
SIPROTEC 5 6MD85 (CP300)≥ 7.80, < 11.011.0
SIPROTEC 5 6MD86 (CP300)≥ 7.80, < 11.011.0
SIPROTEC 5 6MD89 (CP300)≥ 7.80, < 11.011.0
SIPROTEC 5 6MU85 (CP300)≥ 7.80, < 11.011.0
Remediation & Mitigation
0/5
Do now
0/1
SIPROTEC 5 7SA82 (CP100)
WORKAROUNDFor SIPROTEC 5 models with CP100 processors (7SA82, 7SD82, 7SJ81, 7SJ82, 7SK82, 7SL82, 7UT82) that have no fix available, restrict network access to the device's web interface to trusted engineering workstations and control systems networks only
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

SIPROTEC 5 6MD84 (CP300)
HOTFIXUpdate SIPROTEC 5 devices with CP300 processors to firmware version 11.0 or later
SIPROTEC 5 7SA82 (CP150)
HOTFIXUpdate SIPROTEC 5 devices with CP150 processors to firmware version 11.0 or later
Long-term hardening
0/2
HARDENINGDisable or restrict access to web interface endpoints on SIPROTEC 5 devices where not required for operations
HARDENINGImplement network segmentation to isolate SIPROTEC 5 devices from untrusted networks
View full CISA ICS-CERT advisory
API: /api/v1/advisories/9ba2ea70-0062-4e1f-a23e-673f7a86ccb3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.