Accessible Development Shell via Physical Interface in SIPROTEC 5
Monitor6.8SSA-687955Feb 11, 2025
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIPROTEC 5 relays contain an accessible development shell on a physical console or serial interface that lacks proper authentication restrictions. An unauthenticated attacker with physical access could execute arbitrary commands on the affected device. Siemens has released firmware updates for CP300, CP150, and CP100 variants. CP200-based devices across most product lines have no fix available and must rely on physical security controls.
What this means
What could happen
An attacker with physical access to the device serial port or console interface could execute arbitrary commands on SIPROTEC 5 relays, potentially altering protection logic, disabling alarms, or disconnecting circuit breakers.
Who's at risk
Electric utilities and water authorities operating SIPROTEC 5 protective relays in generation, transmission, distribution, and substation automation. Affects overcurrent relays (7SA82, 7SA86, 7SA87), distance relays (7SD82, 7SD86, 7SD87), differential relays (7ST85, 7ST86), directional relays (7SJ, 7SK, 7SL, 7SX, 7SY), transformer protection (6MD, 6MU), and bay controllers (7UT, 7VE, 7VK, 7UM). CP200 variants have no patch available and will remain vulnerable.
How it could be exploited
An attacker physically connects to the development shell interface (likely serial/console port) on the SIPROTEC 5 relay. Since the shell is not properly restricted, they can execute arbitrary commands without authentication. This allows full compromise of the device's control logic.
Prerequisites
- Physical access to the device's console or serial port
- No authentication credentials required
Physical access requiredNo authentication requiredLow complexity exploitationAffects electrical protection systemsNo patch available for CP200 variantsWide range of protective relay types impacted
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (61)
43 with fix18 pending
ProductAffected VersionsFix Status
SIPROTEC 5 6MD84 (CP300)< 9.909.90
SIPROTEC 5 6MD85 (CP200)All versionsNo fix yet
SIPROTEC 5 6MD85 (CP300)< 9.909.90
SIPROTEC 5 6MD86 (CP200)All versionsNo fix yet
SIPROTEC 5 6MD86 (CP300)< 9.909.90
Remediation & Mitigation
0/7
Do now
0/2SIPROTEC 5 6MD85 (CP200)
HARDENINGFor CP200 and CP100 models with no available patch, implement physical security controls restricting access to the device console and serial ports
All products
HARDENINGRestrict physical access to relay equipment rooms and control cabinets; lock or secure console ports to prevent unauthorized connection
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
SIPROTEC 5 6MD84 (CP300)
HOTFIXFor 6MD84, 6MD85, 6MD86, 6MD89, 6MU85, 7KE85, 7SA86, 7SA87, 7SD86, 7SD87, 7SJ85, 7SJ86, 7SK85, 7SL86, 7SL87, 7SS85, 7UT85, 7UT86, 7UT87, 7VK87 with CP300, and 7SX800 with CP050: Update firmware to version 9.90 or later
HOTFIXFor 7KE85 with CP300 and 7ST85, 7ST86 with CP300: Update firmware to version 10.0 or later
SIPROTEC 5 7SA82 (CP100)
HOTFIXFor 7SA82 with CP100, 7SD82 with CP100, 7SJ81 with CP100, 7SJ82 with CP100, 7SK82 with CP100, 7SL82 with CP100, 7UT82 with CP100: Update firmware to version 8.90 or later
SIPROTEC 5 7SA82 (CP150)
HOTFIXFor 7SA82 with CP150, 7SD82 with CP150, 7SJ81 with CP150, 7SJ82 with CP150, 7SK82 with CP150, 7SL82 with CP150, 7SX82 with CP150, 7SY82 with CP150, 7UT82 with CP150: Update firmware to version 9.90 or later
SIPROTEC 5 6MD85 (CP200)
HARDENINGAudit field installations to identify which SIPROTEC 5 relays are vulnerable (all CP200 variants, end-of-life CP100/150 variants)
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/415fd266-1188-447a-a85f-20816161cca2