Password Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact Relay Families
Plan Patch7.5SSA-203306Mar 8, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIPROTEC 4 and SIPROTEC Compact protection relays contain password vulnerabilities that allow unauthorized access credentials to be reconstructed or overwritten via engineering interfaces (DIGSI 4) and EN100 Ethernet communication modules. Affected products include relay models 7SD80, 7SJ61, 7SJ62, 7SJ64, 7SJ66, 7SJ80, and 7SK80, as well as EN100 Ethernet variants (DNP3, IEC 104, IEC 61850, Modbus TCP, and PROFINET IO). Some product variants have no patch available.
What this means
What could happen
An attacker with network access to DIGSI 4 engineering traffic or EN100 Ethernet modules could reset or reconstruct relay passwords, gaining unauthorized access to alter protection settings, trip commands, or disable protection schemes on critical power infrastructure.
Who's at risk
Electric utilities, power distribution operators, and industrial facilities relying on Siemens SIPROTEC protection relays for medium-voltage and low-voltage switchgear control. Affects relay models used in substations, generator protection, and feeder protection schemes. EN100 Ethernet modules are used to add modern communication protocols to legacy relay hardware, making patching critical in networked utility environments.
How it could be exploited
An attacker would intercept or replay DIGSI 4 engineering protocol messages over the network to the EN100 module or relay, exploiting weak password handling to reconstruct or overwrite access credentials. This grants the attacker the same level of control as an authorized engineer—the ability to modify relay logic, setpoints, and protection schemes.
Prerequisites
- Network access to DIGSI 4 engineering interface port or EN100 Ethernet module port
- Ability to send crafted or replayed engineering protocol messages (no user credentials required to exploit password vulnerability itself)
- Relay or EN100 module running vulnerable firmware versions
Remotely exploitable over networkNo authentication required to exploit password vulnerabilityLow attack complexityAffects critical infrastructure protection relaysMultiple product variants have no patch availableEngineering access enables full control of protection logic
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (15)
10 with fix5 EOL
ProductAffected VersionsFix Status
DIGSI 4< V4.924.92
EN100 Ethernet module DNP3 variant< V1.05.001.05.00 and configure DIGSI 4 connection password
EN100 Ethernet module IEC 61850 variant< V4.304.30 and configure DIGSI 4 connection password
SIPROTEC 4 7SD80< V4.704.70
SIPROTEC 4 7SJ61< V4.964.96
SIPROTEC 4 7SJ62< V4.964.96
SIPROTEC 4 7SJ64< V4.964.96
SIPROTEC 4 7SJ66< V4.304.30
Remediation & Mitigation
0/10
Do now
0/3DIGSI 4
HARDENINGConfigure DIGSI 4 connection password on EN100 Ethernet modules to add authentication layer
HARDENINGImplement network segmentation to restrict DIGSI 4 engineering interface access to authorized engineering workstations only; isolate EN100 modules from untrusted networks
WORKAROUNDMonitor DIGSI 4 and EN100 Ethernet traffic for unusual protocol activity; enforce firewall rules to allow only authorized engineering IP addresses
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
DIGSI 4
HOTFIXUpdate DIGSI 4 to version 4.92 or later
SIPROTEC 4 7SD80
HOTFIXUpdate SIPROTEC 4 7SD80 to firmware version 4.70 or later
SIPROTEC 4 7SJ61
HOTFIXUpdate SIPROTEC 4 7SJ61, 7SJ62, 7SJ64 to firmware version 4.96 or later
SIPROTEC 4 7SJ66
HOTFIXUpdate SIPROTEC 4 7SJ66 to firmware version 4.30 or later
SIPROTEC Compact 7SJ80
HOTFIXUpdate SIPROTEC Compact 7SJ80, 7SK80 to firmware version 4.77 or later
All products
HOTFIXUpdate EN100 Ethernet DNP3 variant to version 1.05.00 or later
HOTFIXUpdate EN100 Ethernet IEC 61850 variant to version 4.30 or later
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/04c49a8a-e825-448f-ad0f-fd2a43289920