Sensitive Data Exposure Vulnerability in SIPROTEC 5 Devices

Monitor5.3SSA-904646Jul 8, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

A sensitive data exposure vulnerability in SIPROTEC 5 protection relays can allow an attacker to retrieve sensitive session data from browser history, logs, or other storage mechanisms on the device. This could potentially lead to unauthorized access to the relay's configuration and monitoring functions.

What this means

What could happen

An attacker who gains access to a SIPROTEC 5 device could retrieve sensitive session data and credentials stored in browser history or logs, potentially allowing them to access the relay's web interface without authentication and view or modify protection settings.

Who's at risk

This affects operators of electrical substations and power distribution systems, particularly TSOs (transmission system operators) and DSOs (distribution system operators) that rely on Siemens SIPROTEC 5 protection relays for secondary protection schemes in medium and high voltage applications. All versions of the SIPROTEC 5 series are affected, including the 7SA, 7SD, 7SJ, 7SK, 7SL, 7SS, 7ST, 7SX, 7SY, 7UM, 7UT, 7VE, 7VK, 7VU, 6MD, 6MU, and 7KE variants.

How it could be exploited

An attacker with physical access to or network access to the device's web interface could extract session data from browser history, cached files, or device logs. If valid credentials or session tokens are exposed, the attacker could authenticate to the relay's interface and view or modify protection settings, alarm thresholds, or trip logic.

Prerequisites

Network or physical access to the SIPROTEC 5 device
Access to the device's browser cache, history files, or system logs
Ability to extract and decode session tokens or credentials stored on the device

No patch availableAffects critical power system protection relaysDefault or weak session data handling allows credential exposure

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (44)

44 pending

ProductAffected VersionsFix Status

SIPROTEC 5 7SK82 (CP150)All versionsNo fix yet

SIPROTEC 5 7SK85 (CP300)All versionsNo fix yet

SIPROTEC 5 7SL82 (CP100)All versionsNo fix yet

SIPROTEC 5 7SL82 (CP150)All versionsNo fix yet

SIPROTEC 5 7SL86 (CP300)All versionsNo fix yet

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGImplement network segmentation and firewall rules to restrict access to SIPROTEC 5 device web interfaces to authorized engineering workstations only

HARDENINGDeploy VPN or secure remote access controls for any off-site access to SIPROTEC 5 devices

WORKAROUNDRegularly clear browser cache and history on engineering workstations used to access SIPROTEC 5 devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor SIPROTEC 5 web interface access logs and device audit trails for unauthorized access attempts or unusual session activity

Long-term hardening

0/2

HARDENINGImplement multi-level redundant secondary protection schemes as recommended for critical power systems to ensure grid resilience even if one relay is compromised

HARDENINGFollow Siemens operational guidelines at https://www.siemens.com/gridsecurity to configure devices in a protected IT environment

CVEs (1)

CVE-2025-40742

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/79289402-768f-4f35-b746-763538172453