Denial of Service Vulnerability in SIPROTEC 4 and SIPROTEC 4 Compact
Plan Patch7.5SSA-400089Aug 12, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIPROTEC 4 and SIPROTEC 4 Compact protective relay devices contain an unauthenticated remote denial of service vulnerability (CWE-754) in which a crafted network packet can crash the device. Affected devices include line protection relays (7SA6, 7SD5, 7SD610), transformer protection (6MD series), motor and switchgear protection (7SJ, 7SK series), capacitor protection (7ST6), distance protection (7UT series), and monitoring/control devices. Siemens has released fixes for 7SA6, 7SD5, and 7SD610 (version 4.78 or later). No fixes are available for the remaining 22 affected product variants, all of which remain vulnerable in all shipped versions.
What this means
What could happen
An attacker can remotely crash SIPROTEC 4 relays and protection devices without authentication, causing them to stop protecting electrical circuits and potentially leaving the power grid or substation unprotected during faults.
Who's at risk
Electrical utilities, substations, and industrial facilities using SIPROTEC 4 or SIPROTEC 4 Compact protective relays in medium-voltage distribution, transmission, or industrial power control. This includes line protection (7SA6, 7SD5, 7SD610), transformer protection (6MD series), switchgear protection (7SJ series), capacitor bank protection (7ST6, 7SS52), voltage regulators (7UM series), and distance protection (7UT series) devices.
How it could be exploited
An attacker sends a malformed network packet to the SIPROTEC device on its exposed management or protocol port. The device processes the packet without proper validation, crashes, and restarts—during restart, the relay's protection functions are offline and cannot respond to electrical faults or abnormal conditions.
Prerequisites
- Network access to SIPROTEC device management port (typically port 502 Modbus or proprietary Siemens ports)
- No authentication required
remotely exploitableno authentication requiredlow complexityno patch available for majority of modelsaffects safety-critical protection systemsCVSS 7.5 (high)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (29)
3 with fix26 pending
ProductAffected VersionsFix Status
SIPROTEC 4 6MD61All versionsNo fix yet
SIPROTEC 4 6MD63All versionsNo fix yet
SIPROTEC 4 6MD66All versionsNo fix yet
SIPROTEC 4 6MD665All versionsNo fix yet
SIPROTEC 4 7SA6< 4.784.78
Remediation & Mitigation
0/4
Do now
0/2HARDENINGFor SIPROTEC 4 devices without available fixes (6MD61, 6MD63, 6MD66, 6MD665, 7SA522, 7SJ61–66, 7SS52, 7ST6, 7UM61–62, 7UT63, 7UT612–613, 7VE6, 7VK61, 7VU683) and SIPROTEC 4 Compact devices (7RW80, 7SD80, 7SJ80–81, 7SK80–81), implement network segmentation to restrict access to SIPROTEC management interfaces. Allow only authorized engineering workstations and supervisory control systems.
WORKAROUNDDeploy firewall rules to restrict inbound network traffic to SIPROTEC devices. Block all unnecessary ports and allow only known-good source IP addresses (engineering workstations, control centers).
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
SIPROTEC 4 7SA6
HOTFIXUpdate SIPROTEC 4 7SA6, 7SD5, and 7SD610 to firmware version 4.78 or later
Long-term hardening
0/1HOTFIXMonitor Siemens security advisories for fix versions for the remaining unfixed SIPROTEC 4 and Compact models. Plan firmware updates as patches become available.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e34a0c2c-520d-4ca2-b08a-ce61acd2c1b7