Default Credentials in Energy Services Using Elspec G5DFR

Act Now9.9SSA-345750Jun 10, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens Energy Services solutions using Elspec G5 Digital Fault Recorder (G5DFR) contain hardcoded default credentials with administrator privileges. A client configuration with remote access enabled could allow an attacker to gain remote control of the G5DFR component and tamper with fault recording outputs or disable monitoring functionality. The vulnerability requires changing default credentials through the G5DFR web interface and restricting network access to authorized users only.

What this means

What could happen

An attacker with network access to the G5 Digital Fault Recorder could use default credentials to gain administrative control, allowing them to manipulate fault recording outputs or disable monitoring of power system disturbances.

Who's at risk

Energy utilities and power distribution operators using Siemens Energy Services solutions with Elspec G5 Digital Fault Recorder devices. This affects fault recording and monitoring systems that track power system disturbances and help with grid diagnostics and incident investigation.

How it could be exploited

An attacker identifies a G5DFR device with remote access enabled on the network, accesses the web interface using default credentials (typically available in documentation or common defaults), and logs in with administrator privileges to modify device settings or data.

Prerequisites

Network access to the G5DFR web interface (typically port 80/443)
G5DFR device configured with remote access enabled
Default credentials not changed from factory settings

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.9)no patch availableaffects monitoring/safety systemsdefault credentials

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Energy ServicesAll versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDAccess the G5DFR web interface and change all default usernames and passwords immediately

HARDENINGReset all user permission levels to least-privilege settings appropriate for each role

HARDENINGRestrict network access to the G5DFR web interface to authorized engineering workstations only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGContact Siemens customer support for additional security guidance

CVEs (1)

CVE-2025-40585

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5c576652-24cc-4a62-ab5a-7af10ab848aa