Multiple Vulnerabilities in SICAM T Before V3.0

Act Now9.9SSA-471761Dec 9, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

SICAM T before V3.0 contains multiple web application vulnerabilities including improper input validation, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), session fixation, authentication and authorization bypasses, and missing HTTPS and cookie protections. These flaws could allow attackers to execute remote code, deny service, bypass access controls, hijack user sessions, impersonate legitimate administrators, or perform arbitrary actions on the device on behalf of authenticated users. Siemens has released version 3.0 which addresses these issues.

What this means

What could happen

An attacker with login credentials could exploit web interface vulnerabilities in SICAM T to modify device settings, intercept session tokens, or trick authenticated users into performing unauthorized actions. In a utility network, this could allow remote alteration of substation automation or protection device configurations.

Who's at risk

This affects water authorities and municipal utilities operating Siemens SICAM T devices for substation automation, protection relay coordination, or grid monitoring. Engineers and operators who manage these systems through the web interface are at risk of having their sessions hijacked or their actions manipulated. Any site running SICAM T versions prior to 3.0 is vulnerable.

How it could be exploited

An attacker with valid SICAM T credentials accesses the web interface and exploits XSS, CSRF, or session fixation vulnerabilities to steal session tokens or plant malicious scripts. These scripts could trigger unauthorized configuration changes or hijack an administrator's browser session to execute commands with their privileges. Alternatively, an unauthenticated attacker could exploit input validation flaws if SICAM T is exposed to untrusted networks.

Prerequisites

Valid SICAM T login credentials (username and password)
Network access to the SICAM T web interface (port 443 or standard HTTP/HTTPS port)
For some vectors: victim engineer must be logged into the web interface
For unauthenticated input validation exploits: SICAM T must be reachable from attacker's network

Remotely exploitable via web interfaceRequires valid credentials for most exploitation pathsLow complexity exploitation once authenticatedNo authentication required for some input validation flawsAffects critical utility automation and protection systemsMultiple vulnerability types (XSS, CSRF, session fixation, auth bypass)

Exploitability

Moderate exploit probability (EPSS 2.9%)

Affected products (1)

ProductAffected VersionsFix Status

SICAM T< 3.03.0

Remediation & Mitigation

0/6

Do now

0/3

HOTFIXUpdate SICAM T to version 3.0 or later immediately

WORKAROUNDRestrict network access to SICAM T web interface to trusted engineering workstations only using firewall rules

HARDENINGEnforce HTTPS-only access and disable HTTP on SICAM T

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGEnforce strong passwords and multi-factor authentication for SICAM T accounts if supported in version 3.0

HARDENINGMonitor SICAM T web access logs for suspicious activity, unusual login patterns, or attempted exploitation of XSS/CSRF vectors

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate SICAM T on a protected engineering network separate from corporate IT

CVEs (15)

CVE-2022-29872 CVE-2022-29873 CVE-2022-29874 CVE-2022-29876 CVE-2022-29878 CVE-2022-29879 CVE-2022-29880 CVE-2022-29881 CVE-2022-29882 CVE-2022-29883 CVE-2022-40226 CVE-2022-41665 CVE-2022-43439 CVE-2023-30901 CVE-2023-31238

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9cb178bc-d903-4e3f-b13f-01776a7f19a6