OTPulse
FeedAboutContact

Authentication Bypass Vulnerability in SICAM A8000 Web Server Module

Monitor4.3SSA-185638Aug 9, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A vulnerability in the web server module of SICAM A8000 CP-8000, CP-8021, and CP-8022 devices allows unauthenticated access to the web interface. The module is used for diagnostics, commissioning, and monitoring and must be manually activated within the protocol firmwares. Affected protocol firmware variants include AGPMT0 (AGP Master), DNPiT1/DNPiT2 (DNP3 TCP/IP), DNPMT0/DNPST0 (DNP3 Serial), ET83/ET85 (IEC 61850), MBCiT0/MBSiT0 (MODBUS TCP/IP), MODMT2 (MODBUS Serial), OPUPT0 (OPCUA Pub/Sub), and OPUPT1 (Mindconnect). The protocol firmwares are secure by default, meaning the web server module is inactive unless explicitly enabled by an operator.

What this means
What could happen
An attacker with network access to the device could bypass authentication and access the web interface, potentially obtaining diagnostic information, viewing device configuration, or tampering with commissioning settings. Physical impact depends on whether the attacker can exploit this access to modify control logic or process parameters in the underlying protocol firmware.
Who's at risk
Power system operators managing electrical transmission and distribution networks should assess whether SICAM A8000 CP-8000, CP-8021, or CP-8022 devices are deployed in their network protection and control systems. Specifically, operators of TSOs (Transmission System Operators) and DSOs (Distribution System Operators) running these Siemens relay/protection modules with active web server modules are at risk. The vulnerability affects devices running DNP3, MODBUS, IEC 61850, or OPCUA protocol firmware variants that include the web module for diagnostic and commissioning purposes.
How it could be exploited
An attacker sends unauthenticated HTTP requests to the web server on the affected module (default port 80 or configured alternate port). If the web server module has been manually activated on the device, the attacker gains unrestricted access to the web interface without providing credentials. From there, the attacker could gather device state information, view protocol firmware configuration, or in some cases modify settings depending on what the web interface exposes.
Prerequisites
  • Network access to the device's web server port (typically port 80 or 8080, or a custom configured port)
  • Web server module manually activated in the device's protocol firmware configuration
  • No other network access controls (firewall rules, IP whitelisting) in place to restrict HTTP access
Remotely exploitableNo authentication requiredLow complexityNo patch available (end-of-life product)Affects power system critical infrastructure
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
CP-8000 MASTER MODULE WITH I/O -40/+70°CAll versionsNo fix (EOL)
CP-8021 MASTER MODULEAll versionsNo fix (EOL)
CP-8022 MASTER MODULE WITH GPRSAll versionsNo fix (EOL)
CP-8000 MASTER MODULE WITH I/O -25/+70°CAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDDisable the web server module in the protocol firmware configuration unless actively needed for diagnostics or commissioning. Re-enable only when required and disable again when commissioning is complete.
HARDENINGRestrict network access to the device's web server port (TCP 80/8080 or configured port) using firewall rules. Allow only trusted engineering workstation IP addresses or specific VLAN subnets that require access for diagnostics.
Mitigations - no patch available
0/3
The following products have reached End of Life with no planned fix: CP-8000 MASTER MODULE WITH I/O -40/+70°C, CP-8021 MASTER MODULE, CP-8022 MASTER MODULE WITH GPRS, CP-8000 MASTER MODULE WITH I/O -25/+70°C. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate the affected CP-8000/CP-8021/CP-8022 devices on a protected secondary network with restricted access paths from corporate networks and field devices.
HARDENINGEnsure redundant protection schemes and secondary protection systems are in place (as required by grid regulations) to mitigate the impact of any compromise of the affected device.
HARDENINGDocument the deployment, activation status, and network location of all SICAM A8000 devices in the environment to ensure awareness of which instances have the web module enabled.
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/af5ad083-1c51-4238-a4eb-e7349a19008a
Authentication Bypass Vulnerability in SICAM A8000 Web Server Module | CVSS 4.3 - OTPulse