Source linked

Siemens SIPROTEC 5 File Upload Flaw Enables Permanent DoS

cisa.gov@agile_tiger1 hour ago·Cybersecurity·2 comments

CISA advisory warns of a vulnerability in the DIGSI5 protocol allowing authenticated users to upload arbitrary files, risking permanent denial of service and potential code execution across 60+ SIPROTEC 5 device models.

siemenssiprotec 5digsi5cisacve 2025 40808industrial control systems

Over 60 Siemens SIPROTEC 5 device models are vulnerable to an arbitrary file upload flaw that can permanently brick the devices. CVE-2025-40808 carries a CVSS score of 6.1 (MEDIUM) but don't let the number fool you - this is a high-risk scenario for any grid operator running these protection relays.

The vulnerability lives in the DIGSI5 protocol. An authenticated user can upload any file they want to the device. No restrictions, no filtering. Siemens' own advisory admits this could cause a permanent denial of service condition and potentially lead to code execution. That's a one-shot kill on a substation's protection logic.

Which Models Are Affected

Every SIPROTEC 5 variant with DIGSI5 support is in scope. The list spans 60+ specific part numbers across CP050, CP100, CP150, CP200, and CP300 hardware platforms. From the compact 7SX800 up to the 7UT87 transformer protection, if it runs DIGSI5, it's vulnerable. The advisory lists them all - too many to enumerate here. Check your inventory against the CISA ICSA-26-174-02.

The Fix and the Gap

Siemens has one real mitigation: upgrade firmware to V9.90 or later, or V10.00 for a few specific models (7ST85 and 7ST86 on CP300). Those versions introduce an allow-list feature that restricts which files can be uploaded. That closes the attack vector.

But here's the brutal part: for some products, no fix is planned. And for others, no fix is available yet. If you're running an unpatched model, you're stuck with compensating controls: password protect all DIGSI connections, use your own PKI-signed certificates, and enable role-based access control (RBAC) on devices with firmware V7.80 or higher.

What This Means for Operations

These relays sit in critical infrastructure - energy, transportation, healthcare, financial services. An attacker with valid credentials (or who compromises an engineering workstation) can push a malicious config that permanently disables the device. The grid design principle of multi-level redundant protection helps, but only if the redundant relays aren't also vulnerable.

Siemens recommends running devices in a protected IT environment with firewalls, segmentation, and VPNs. That's table-stakes advice. The real takeaway: if you can't patch immediately, audit your DIGSI access controls and lock down every engineering interface. No fix planned? Start planning for device replacement.

Source: Siemens SIPROTEC 5 Using DIGSI5 Protocol
Domain: cisa.gov

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Fake AI Skill Passed Every Scanner, Hit 26,000 Agents

Security firm AIR built a dummy agent skill that bypassed all security scanners and reached 26,000 agents, including corporate accounts. The payload collected email addresses only, but the real threat is the broken...

Scattered Spider Pleads Guilty After $115M Ransom Rampage - Two Sentenced

Two UK teens pleaded guilty on day one of trial, exposing a cybercrime ring that extorted $115M from 47 U.S. entities and crippled London transport.

Siemens WinCC Certificate Manager Exposes Keys in Plaintext - CVSS 7.1

A cleartext storage vulnerability (CVE-2026-24349) in Siemens SIMATIC WinCC Unified PC Runtime versions V16 through V21 allows local attackers to extract sensitive key material, with a fix available only for the latest...

Five Linux Kernel Bugs Hit B&R Controllers With Public Exploits

B&R's APROL platform ships a Linux kernel carrying five privilege-escalation vulnerabilities, all with public proof-of-concept code and CVSS scores up to 7.8.

Comments load interactively on the live page.