SISCO Stack Vulnerability in SIPROTEC 5 Devices
Plan Patch7.5SSA-223771Dec 13, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the SISCO MMS-EASE third-party component used by SIPROTEC 5 relay protection devices could allow an attacker to cause a denial of service condition. The vulnerability is related to resource exhaustion (CWE-770).
What this means
What could happen
An attacker could disrupt protective relay operations, causing temporary loss of protection functions and potentially exposing the power system to faults that would not be properly cleared. This could affect grid stability or allow uncontrolled load shedding.
Who's at risk
Electrical utilities and substations using Siemens SIPROTEC 5 protection relays in any role (generator protection, transformer protection, line protection, station service protection). These devices are critical for detecting and clearing faults in transmission and distribution systems. Affects 45+ SIPROTEC 5 relay models and communication modules.
How it could be exploited
An attacker with network access to the SIPROTEC 5 device could send a crafted SISCO MMS-EASE protocol message to trigger resource exhaustion. The device would become unresponsive or crash, losing its ability to monitor voltage, current, and fault conditions until it recovers or restarts.
Prerequisites
- Network access to the SIPROTEC 5 device on the SISCO MMS-EASE communication port (typically port 102 for IEC 60870-5-104 or proprietary SISCO ports)
- No authentication required based on CVSS vector (PR:N)
Remotely exploitable from networkNo authentication requiredLow complexity attackHigh availability impactAffects safety-critical protective relays
Exploitability
Moderate exploit probability (EPSS 1.0%)
Affected products (49)
49 with fix
ProductAffected VersionsFix Status
SIPROTEC 5 6MD85 (CP200)< V7.587.58
SIPROTEC 5 6MD85 (CP300)< V7.587.58
SIPROTEC 5 6MD86 (CP200)< V7.587.58
SIPROTEC 5 6MD86 (CP300)< V7.587.58
SIPROTEC 5 6MD89 (CP300)< V7.807.80
Remediation & Mitigation
0/5
Do now
0/2HARDENINGInventory all SIPROTEC 5 devices in your network and verify current firmware versions against the affected list
WORKAROUNDRestrict network access to SIPROTEC 5 devices to authorized engineering workstations and SCADA systems only; implement firewall rules to block unexpected connections to SISCO MMS-EASE ports (typically 102, 161, and proprietary ports)
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
SIPROTEC 5 6MD85 (CP200)
HOTFIXUpdate SIPROTEC 5 devices with CP100/CP200/CP300 modules running firmware < V7.58 to version 7.58 or later
All products
HOTFIXUpdate SIPROTEC 5 7MD89, 7KE85, and 7VE85 models running firmware < V7.80 to version 7.80 or later
HOTFIXUpdate SIPROTEC 5 7ST85 running firmware < V7.62 to version 7.62 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/47b1df25-eeeb-428d-9e43-c6a14c7aac57