RADIUS Protocol Susceptible to Forgery Attacks (CVE-2024-3596) - Impact to SIPROTEC, SICAM and Related Products
Act Now9SSA-794185May 13, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
CVE-2024-3596 is a RADIUS protocol vulnerability ("Blastradius") affecting Siemens power grid devices. An on-path attacker between a RADIUS client (such as SIPROTEC relay or SICAM gateway) and RADIUS server can forge authentication packets to convert authentication rejections into acceptances. This allows unauthorized users to gain network access to protection relays and control devices without knowing legitimate credentials, potentially enabling them to issue commands that alter protection settings or disrupt power system operations. The vulnerability requires the attacker to be positioned between the device and its authentication server (Layer 2 or Layer 3), and affects devices that use RADIUS for network access control.
What this means
What could happen
An attacker positioned between a power grid device (SIPROTEC relay, SICAM gateway) and its RADIUS authentication server could forge authentication messages to impersonate legitimate users and gain unauthorized network access without valid credentials, potentially allowing them to alter control settings or disrupt grid operations.
Who's at risk
This affects electrical utilities and renewable energy operators running Siemens SIPROTEC 5 protection relays (distance, differential, overcurrent, voltage, frequency relays), SICAM central processing units and power meters, and Powerlink IP gateways. These devices are used for substation automation, grid protection, and power quality monitoring across transmission and distribution networks.
How it could be exploited
An attacker must be positioned on the network path between a SIPROTEC/SICAM device and the RADIUS authentication server (man-in-the-middle position). They craft forged RADIUS Access-Request packets and intercept the server response, modifying it to convert authentication rejections into acceptances. The device then grants network access based on the forged acceptance, allowing the attacker to communicate with the device as if authenticated.
Prerequisites
- Network position between the affected device and RADIUS server (same network segment or compromised upstream router)
- RADIUS authentication must be configured on the affected device
- Attacker must be able to send and intercept packets on the network path (Layer 2 or Layer 3 depending on configuration)
Remotely exploitable from network positionNo user interaction requiredMedium attack complexity (requires network position)High EPSS score (23.8%)Powerlink IP has no fix availableAffects critical grid protection and control devicesAuthentication bypass without valid credentials
Exploitability
High exploit probability (EPSS 23.8%)
Affected products (53)
52 with fix1 pending
ProductAffected VersionsFix Status
CPC80 Central Processing/Communication< 16.5116.51
CPCI85 Central Processing/Communication< 6.206.20
POWER METER SICAM Q100 family< 2.702.70
POWER METER SICAM Q200 family< 2.832.83
Powerlink IPAll versionsNo fix yet
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDUse VPN or encrypted tunnels (such as RADIUS/TLS) if RADIUS traffic must traverse untrusted networks
WORKAROUNDMonitor RADIUS authentication logs for anomalous accept/reject patterns or failed authentication followed by access grants
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
SIPROTEC 5 7SA82 (CP100)
HOTFIXUpdate SIPROTEC 5 relays (all models) to firmware version 10.0 or later, or version 8.90 for CP100/150 models and version 9.68/9.83 for specific V9.x variants
SICAM GridPass
HOTFIXUpdate SICAM products: CPC80 to 16.51, CPCI85 to 6.20, SICAM Q100 to 2.70, SICAM Q200 to 2.83, SICAM GridPass to 2.50, SICORE Base to 2.20.0
Long-term hardening
0/2HARDENINGIsolate RADIUS authentication traffic to a dedicated, encrypted, and monitored network segment separate from field device networks
HARDENINGImplement network segmentation so RADIUS servers are not on the same Layer 2 domain as untrusted networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/21e55b24-f500-4912-9a2d-2d7197595276