Urgent/11 TCP/IP Stack Vulnerabilities in SIPROTEC 4 7SJ66 Devices

Act Now9.8SSA-617233Nov 14, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIPROTEC 4 7SJ66 relays contain nine of the eleven "URGENT/11" vulnerabilities in the Wind River VxWorks TCP/IP stack. These include buffer overflows (CWE-120), cache poisoning (CWE-384), null pointer dereferences (CWE-476), and race conditions (CWE-362). An attacker with network access could cause denial of service, extract sensitive data, or execute arbitrary code on the relay. Impact includes loss of protective function availability, modification of relay settings, and potential loss of confidentiality of relay configuration or event logs.

What this means

What could happen

An attacker on the network could crash SIPROTEC 4 relays, steal operating data, or run arbitrary code to alter protection logic and prevent breakers from tripping during faults. This threatens both safety and grid stability.

Who's at risk

Electric utility transmission and distribution operators managing SIPROTEC 4 7SJ66 protection relays. These relays provide critical overcurrent, distance, and differential protection for transformers, lines, and generators. Affected devices in unpatched versions present immediate risk to protective system integrity and operational reliability.

How it could be exploited

An attacker sends specially crafted TCP/IP packets to the relay over the network to trigger buffer overflow or logic flaws in the VxWorks stack. No authentication is required. Once code execution is achieved, the attacker can modify relay settings, disable protection functions, or cause the device to become unresponsive.

Prerequisites

Network reachability to the SIPROTEC 4 7SJ66 device (Modbus TCP or native ports)
Device running firmware version prior to V4.41
No special credentials or physical access required

remotely exploitableno authentication requiredlow complexity attackhigh EPSS score (79.5%)affects critical protection systemspotential for remote code execution

Exploitability

High exploit probability (EPSS 79.5%)

Affected products (1)

ProductAffected VersionsFix Status

SIPROTEC 4 7SJ66<V4.414.41

Remediation & Mitigation

0/3

Do now

0/2

HOTFIXUpdate SIPROTEC 4 7SJ66 firmware to version 4.41 or later

HARDENINGImplement network segmentation to restrict unauthorized access to relay management ports; use firewalls to limit inbound TCP/IP traffic to engineering workstations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDDisable unnecessary TCP/IP services on affected relays if not required for your protection scheme

CVEs (9)

CVE-2019-12255 CVE-2019-12256 CVE-2019-12258 CVE-2019-12259 CVE-2019-12260 CVE-2019-12261 CVE-2019-12262 CVE-2019-12263 CVE-2019-12265

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f326159d-b5fc-4217-897a-9e8523058d1e