OTPulse
FeedAboutContact

Default Password Leakage affecting the Component Shared HIS used in Spectrum Power Systems

Plan Patch8.8SSA-388239Jun 14, 2022
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Default credentials exist for the Shared HIS (SHHIS) component used in Spectrum Power systems. An attacker with network access could authenticate as an administrator using publicly disclosed or easily guessed default credentials, gaining control over power system configurations and operations.

What this means
What could happen
An attacker with access to your network could log into the Shared HIS component using default administrative credentials, potentially allowing them to modify power system configurations, alter setpoints, or disable controls.
Who's at risk
Energy sector operators using Siemens Spectrum Power systems (Spectrum Power 4, Spectrum Power 7, and Spectrum Power MGMS) that deploy the Shared HIS component for supervisory control and monitoring should be concerned. This affects utilities managing generation, transmission, and distribution systems that rely on these products.
How it could be exploited
An attacker discovers the default credentials for Shared HIS through public sources or documentation. They connect to the HIS interface (likely web-based or networked service) on your Spectrum Power system and authenticate with the default account, gaining administrative access to the control interface.
Prerequisites
  • Network access to the Shared HIS component (typically internal network or accessible service port)
  • Knowledge of default credentials (publicly disclosed or easily guessed)
  • Shared HIS component is deployed without credential changes
No authentication required (default credentials)No patch availableAffects critical energy infrastructureLow complexity to exploit
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
Spectrum Power 4All versions using Shared HISNo fix (EOL)
Spectrum Power 7All versions using Shared HISNo fix (EOL)
Spectrum Power MGMSAll versions using Shared HISNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDContact your local Siemens representative for configuration recommendations to mitigate the default password issue
HARDENINGChange default credentials immediately on all Shared HIS accounts
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement network segmentation to restrict access to Shared HIS to authorized engineering workstations only
HARDENINGMonitor access logs to the Shared HIS component for unauthorized login attempts
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/803f77cd-7334-417d-9ff7-46a42075c7f4
Default Password Leakage affecting the Component Shared HIS used in Spectrum Power Systems | CVSS 8.8 - OTPulse