Apache Log4j Vulnerabilities (Log4Shell, CVE-2021-44228, CVE-2021-45046) - Impact to SPPA-T3000

Act NowCVSS 10SSA-714170Dec 16, 2021

SiemensEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Apache Log4j vulnerability (CVE-2021-44228, known as Log4Shell) in SPPA-T3000 SeS3000 Security Server allows remote unauthenticated attackers to execute arbitrary code. A follow-on vulnerability (CVE-2021-45046) was later disclosed with increased severity, enabling denial of service, information disclosure, and potential code execution. The SPPA-T3000 SeS3000 is the control and monitoring platform for power system protection and automation. All versions of the affected hardware are vulnerable; no vendor fix is available.

What this means

What could happen

An attacker can remotely execute commands on the SPPA-T3000 security server without credentials, potentially compromising the protection and automation systems that control power grid operations, causing loss of visibility and control or unintended grid switching actions.

Who's at risk

Electric utility operators, transmission system operators (TSOs), and distribution system operators (DSOs) responsible for power grid protection and automation systems using SPPA-T3000 SeS3000 security servers. This affects the critical automation and protection devices that manage grid stability and fault response.

How it could be exploited

An attacker sends a specially crafted log message containing a malicious JNDI lookup string to any network service on the SPPA-T3000 that uses Log4j for logging. When the server processes the log entry, it automatically fetches and executes remote code, giving the attacker command execution on the device.

Prerequisites

Network access to the SPPA-T3000 on any port where Log4j is used for logging (typically application logging ports)
No authentication or special configuration required

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)EPSS 94.4% (very high)no patch availableaffects safety systems

Exploitability

Actively exploited — confirmed by CISA KEV

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (1)

ProductAffected VersionsFix Status

SPPA-T3000 SeS3000 Security Server (6DU7054-0..00-..A0)All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGImplement network segmentation and firewall rules to restrict network access to the SPPA-T3000 SeS3000 from untrusted networks. Limit connections to only authorized engineering workstations and control centers

HOTFIXDeploy the Siemens-provided security update for SPPA-T3000 using documented procedures during a scheduled maintenance window with trained staff supervision

WORKAROUNDIf security update is not yet available from Siemens, isolate the SPPA-T3000 SeS3000 on a dedicated, physically separated network segment with no direct internet or untrusted network connectivity

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGReview and verify that multi-level redundant secondary protection schemes are properly configured and operational to maintain grid resilience while the vulnerability exists

HARDENINGMonitor SPPA-T3000 logs and network traffic for anomalous activity or exploit attempts; alert on unexpected outbound connections

HARDENINGEstablish VPN or secure remote access controls for any administrative or engineering connections to the device

CVEs (2)

CVE-2021-44228 CVE-2021-45046

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5d96ec8c-60b4-408d-8dee-0a5cc01653dc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.