Multiple Vulnerabilities in Spectrum Power 4 Before v4.70 SP12 Security Patch 2

Plan Patch8.8SSA-339694Nov 11, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Spectrum Power 4 before version 4.70 SP12 Update 2 contains multiple vulnerabilities related to improper access control (CWE-648, CWE-266), insecure permissions (CWE-732), and unsafe component handling (CWE-829). These flaws allow remote code execution with application administrator privileges or local code execution with operating system administrator privileges. The vulnerabilities stem from multiple weaknesses across the application and could be exploited through authenticated or unauthenticated paths depending on configuration.

What this means

What could happen

An attacker could execute arbitrary code as an application administrator remotely or as an operating system administrator locally on Spectrum Power 4 systems, potentially allowing full control of the power management application and underlying server.

Who's at risk

Energy utilities and power generation facilities using Spectrum Power 4 for power system management and control. This includes transmission and distribution operators who rely on this SCADA/EMS (Energy Management System) application for real-time grid monitoring and automated control.

How it could be exploited

An attacker with network access to Spectrum Power 4 could exploit one or more of the underlying vulnerabilities (improper access control, insecure defaults, or unsafe package handling) to achieve remote code execution with application administrator privileges. Local exploitation would require direct access to the server.

Prerequisites

Network access to Spectrum Power 4 application (port and protocol depend on deployment)
Valid user credentials (privilege level varies by vulnerability)

remotely exploitablehigh CVSS score (8.8)affects critical infrastructuremultiple vulnerability classesaccess control weaknesses

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Spectrum Power 4All versions < V4.70 SP12 Update 24.70 SP12 Update 2

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Spectrum Power 4 to version 4.70 SP12 Update 2 or later

CVEs (5)

CVE-2024-32008 CVE-2024-32009 CVE-2024-32010 CVE-2024-32011 CVE-2024-32014

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c415bc1b-ab50-4ebf-aefa-c3c3b91f4aab