Information Disclosure Vulnerability in SIPROTEC 5 Devices
Plan Patch7.5SSA-767615Feb 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
An information disclosure vulnerability in SIPROTEC 5 devices (multiple models with CP150 and CP300 processor modules, communication modules, and compact variants) allows an unauthenticated, remote attacker to retrieve sensitive information from the device. The vulnerability affects devices running firmware versions prior to 9.90, with some variants fixed in 9.68, 9.83, or 10.0 depending on the product line.
What this means
What could happen
An attacker can remotely obtain sensitive device information such as configuration, network settings, or authentication details from unpatched SIPROTEC 5 relays and communication modules without providing credentials. This disclosed information could be used to plan further attacks on your power system or substation automation equipment.
Who's at risk
Operators of power systems, substations, and distribution networks using Siemens SIPROTEC 5 protection and control relays should review this vulnerability. Affected equipment includes distance protection relays (7SA series), overcurrent relays (7SJ, 7SK, 7SL series), differential protection relays (7SD series), directional relays (7SX, 7SY series), pilot protection relays (7ST series), power quality monitors (6MD series), metering relays (7UM series), power system stabilizer modules (7VK series), and communication modules (ETH-BA-2EL, ETH-BB-2FO, ETH-BD-2FO). The vulnerability affects both CP150 and CP300 processor-based variants.
How it could be exploited
An attacker sends a specially crafted network request to the SIPROTEC 5 device over its network interface without authentication. The device responds with sensitive information (likely configuration or system data) that should not be exposed. No special tools or complex interaction is required.
Prerequisites
- Network reachability to the SIPROTEC 5 device port
- No authentication credentials required
remotely exploitableno authentication requiredlow complexitysensitive information disclosureaffects multiple critical substation relay models
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (48)
48 with fix
ProductAffected VersionsFix Status
SIPROTEC 5 6MD84 (CP300)< 9.909.90
SIPROTEC 5 6MD85 (CP300)≥ 8.80, < 9.909.90
SIPROTEC 5 6MD86 (CP300)≥ 8.80, < 9.909.90
SIPROTEC 5 6MD89 (CP300)≥ 8.80, < 9.909.90
SIPROTEC 5 6MD89 (CP300) V9.6x< 9.689.68
Remediation & Mitigation
0/5
Do now
0/1HARDENINGRestrict network access to SIPROTEC 5 device management ports using firewall rules or network segmentation; allow only authorized engineering workstations
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIPROTEC 5 devices running firmware version 9.50–9.89 to firmware 9.90 or later
HOTFIXUpdate SIPROTEC 5 7KE85, 7ST85, and 7ST86 models running firmware versions prior to 10.0 to firmware 10.0 or later
HOTFIXUpdate SIPROTEC 5 communication modules (ETH-BA-2EL, ETH-BB-2FO, ETH-BD-2FO) running firmware 9.6x variants to 9.68 or later
HOTFIXUpdate SIPROTEC 5 communication modules running firmware 9.8x variants to 9.83 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/771164b5-5fb9-4bff-ad3c-226a51dd45b3