OTPulse
FeedAboutContact

Improper Limitation of Filesystem Access through Web Server Vulnerability in SIPROTEC 5

Monitor6.5SSA-194557Jan 14, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

SIPROTEC 5 devices do not properly limit the access of the web server to the filesystem. An authenticated remote attacker could read arbitrary files or the entire filesystem of the device through the web interface.

What this means
What could happen
An attacker with valid credentials could read sensitive files from the protection relay, including firmware, logs, and configuration data that might contain credentials or reveal network topology. While this is information disclosure only, it could enable further attacks on your power system or substation devices.
Who's at risk
Power system protection engineers and substation operators using SIPROTEC 5 relays should care. All SIPROTEC 5 variants with CP100, CP150, and CP300 communication processors are affected—these are used in transmission line protection, transformer protection, busbar protection, generator protection, and motor management across utilities and industrial facilities.
How it could be exploited
An attacker with a valid engineering workstation account or web credential accesses the SIPROTEC 5 web server interface. They then manipulate file path requests (directory traversal) to read files outside the intended web directory, accessing the entire device filesystem including system files and backups.
Prerequisites
  • Valid authentication credentials for the SIPROTEC 5 web interface (engineering workstation account or administrative login)
  • Network access to the device's web server port (typically HTTP/HTTPS)
  • The web server enabled on the device (standard configuration)
remotely exploitablerequires valid authenticationaffects all major protection relay typesinformation disclosure enables further attacks
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (43)
43 with fix
ProductAffected VersionsFix Status
SIPROTEC 5 6MD84 (CP300)< 9.809.80
SIPROTEC 5 7SL87 (CP300)≥ 7.80, < 9.809.80
SIPROTEC 5 6MD85 (CP300)≥ 7.80, < 9.809.80
SIPROTEC 5 6MD86 (CP300)≥ 7.80, < 9.809.80
SIPROTEC 5 6MD89 (CP300)≥ 7.80, < 9.689.68
Remediation & Mitigation
0/7
Do now
0/2
WORKAROUNDRestrict network access to the SIPROTEC 5 web server ports using firewall rules—allow only from authorized engineering workstations on the isolated substation LAN
HARDENINGDisable HTTP and use HTTPS only for web server communication
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

SIPROTEC 5 7SA82 (CP100)
HOTFIXUpdate SIPROTEC 5 7SA82 and 7SD82 CP100 variants to firmware version 8.90 or later
All products
HOTFIXUpdate SIPROTEC 5 relays with firmware version 9.80 or later (most variants)
HOTFIXUpdate SIPROTEC 5 6MD89 and 7ST85 variants to firmware version 9.68 or later
Long-term hardening
0/2
HARDENINGEnforce strong passwords and regularly audit web server credentials across all SIPROTEC 5 devices
HARDENINGSegment protection relay devices on a separate VLAN from field devices and corporate networks
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/95119a75-41a6-4fa3-b4c5-344a63844e21
Improper Limitation of Filesystem Access through Web Server Vulnerability in SIPROTEC 5 | CVSS 6.5 - OTPulse