Siemens SIPROTEC 5 Using DIGSI5 Protocol

MonitorCVSS 6.1ICS-CERT ICSA-26-174-02Jun 9, 2026

Siemens

Attack path

Attack VectorAdjacent

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

SIPROTEC 5 protection relays are vulnerable to arbitrary file uploads by authenticated users communicating via the DIGSI 5 protocol. An authenticated attacker can upload malicious configuration files that could cause permanent denial of service or compromise the relay's protective functions. The vulnerability affects all versions of 62 SIPROTEC 5 relay models across different protection functions (overcurrent, distance, differential, transformer, bay controller) and enclosure sizes (CP050, CP100, CP150, CP300). Siemens has released mitigation firmware (version 9.90 for most models, version 10.00 for CP300 7ST85/7ST86) that introduces an allow-list feature to restrict file uploads. For products without patches planned, compensating controls include role-based access control, password protection, and network segmentation of DIGSI access.

What this means

What could happen

An attacker with engineering credentials could upload malicious configuration files to SIPROTEC 5 protection relays via the DIGSI 5 protocol, potentially causing permanent denial of service or altering critical power system protection logic.

Who's at risk

Operators and engineers managing Siemens SIPROTEC 5 protection relays in electrical substations, power distribution networks, and industrial plants that use these relays for overcurrent, distance, differential, or transformer protection. This affects dozens of SIPROTEC 5 models across different protection functions (overcurrent, distance, differential, transformer, bay controller modules) in CP050, CP100, CP150, and CP300 enclosure sizes. Particularly critical for utilities running these devices in mission-critical protection schemes.

How it could be exploited

An attacker with valid engineering workstation credentials connects to a SIPROTEC 5 device over the network using DIGSI 5 protocol and uploads a malicious configuration file. The device accepts the file due to lack of input validation on file uploads, allowing the attacker to replace legitimate configuration or firmware with arbitrary content that could disable protections or crash the device.

Prerequisites

Valid engineering workstation credentials for DIGSI 5 authentication
Network access to DIGSI 5 protocol port on SIPROTEC 5 device
Device running firmware version earlier than V9.90 (CP050/CP100/CP150) or V10.00 (CP300 models 7ST85/7ST86)

No authentication required for file upload after credentials obtainedAffects safety-critical protective relay systemsMultiple product variants with no patches planned (CP100 and CP200 modules)High impact potential (permanent denial of service of protective equipment)Requires compromise of engineering credentials (moderate barrier)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (61)

36 pending25 EOL

ProductAffected VersionsFix Status

SIPROTEC 5 6MD84 (CP300)All versionsNo fix yet

SIPROTEC 5 6MD85 (CP200)All versionsNo fix (EOL)

SIPROTEC 5 6MD85 (CP300)All versionsNo fix yet

SIPROTEC 5 6MD86 (CP200)All versionsNo fix (EOL)

SIPROTEC 5 6MD86 (CP300)All versionsNo fix yet

Remediation & Mitigation

0/7

Do now

0/2

HARDENINGEnforce password protection on all DIGSI connections to prevent unauthorized access

HARDENINGRestrict DIGSI 5 protocol network access to engineering workstations only using firewall rules

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SIPROTEC 5 7SA82 (CP150)

HOTFIXUpgrade SIPROTEC 5 devices with CP050 and CP150 modules to firmware version 9.90 or later

SIPROTEC 5 6MD84 (CP300)

HOTFIXUpgrade SIPROTEC 5 devices with CP300 modules (7ST85 and 7ST86 only) to firmware version 10.00 or later

HOTFIXUpgrade SIPROTEC 5 devices with remaining CP300 modules to firmware version 9.90 or later

All products

HARDENINGEnable role-based access control (RBAC) on all SIPROTEC 5 devices running firmware version V7.80 or higher

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIPROTEC 5 6MD85 (CP200), SIPROTEC 5 6MD86 (CP200), SIPROTEC 5 7KE85 (CP200), SIPROTEC 5 7SA82 (CP100), SIPROTEC 5 7SA86 (CP200), SIPROTEC 5 7SA87 (CP200), SIPROTEC 5 7SD82 (CP100), SIPROTEC 5 7SD86 (CP200), SIPROTEC 5 7SD87 (CP200), SIPROTEC 5 7SJ81 (CP100), SIPROTEC 5 7SJ82 (CP100), SIPROTEC 5 7SJ85 (CP200), SIPROTEC 5 7SJ86 (CP200), SIPROTEC 5 7SK82 (CP100), SIPROTEC 5 7SK85 (CP200), SIPROTEC 5 7SL82 (CP100), SIPROTEC 5 7SL86 (CP200), SIPROTEC 5 7SL87 (CP200), SIPROTEC 5 7SS85 (CP200), SIPROTEC 5 7ST85 (CP200), SIPROTEC 5 7UT82 (CP100), SIPROTEC 5 7UT85 (CP200), SIPROTEC 5 7UT86 (CP200), SIPROTEC 5 7UT87 (CP200), SIPROTEC 5 7VK87 (CP200). Apply the following compensating controls:

HARDENINGConfigure DIGSI connections to use customer-signed certificates from your internal PKI instead of default certificates

CVEs (1)

CVE-2025-40808

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a1bfae56-0332-45f9-b8e3-1f5de07d9cb4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.