Siemens SIPROTEC 5
Siemens SIPROTEC 5 uses weak session IDs vulnerable to brute-force hijacking attacks
Summary
A vulnerability (CVE-2024-54017) in Siemens SIPROTEC 5 protective relay devices allows unauthenticated remote attackers to brute-force session identifiers due to insufficient randomness in their generation. This could enable session hijacking and unauthorized read access to limited web server information. Fixes are available by upgrading to V11.0 or later; interim mitigation measures are recommended for devices where updates are not yet available.
Full text
ICS Advisory Siemens SIPROTEC 5 Release DateMay 14, 2026 Alert CodeICSA-26-134-13 Related topics: Industrial Control System Vulnerabilities, Industrial Control Systems View CSAF Summary The SIPROTEC 5 devices do not use sufficiently random numbers to generate session identifiers. This could facilitate a brute-force attack against a valid session identifier which could allow an unauthenticated remote attacker to hijack a valid user session. The affected session identifiers are only used in a subset of the endpoints that are provided by the affected products. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available. The following versions of Siemens SIPROTEC 5 are affected: SIPROTEC 5 6MD84 (CP300) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 6MD85 (CP200) vers:all/* () SIPROTEC 5 6MD85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 6MD86 (CP200) vers:all/* () SIPROTEC 5 6MD86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 6MD89 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 6MU85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7KE85 (CP200) vers:all/* () SIPROTEC 5 7KE85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SA82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SA82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SA84 (CP200) vers:all/* () SIPROTEC 5 7SA86 (CP200) vers:all/* () SIPROTEC 5 7SA86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SA87 (CP200) vers:all/* () SIPROTEC 5 7SA87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SD82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SD82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SD84 (CP200) vers:all/* () SIPROTEC 5 7SD86 (CP200) vers:all/* () SIPROTEC 5 7SD86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SD87 (CP200) vers:all/* () SIPROTEC 5 7SD87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SJ81 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SJ81 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SJ82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SJ82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SJ85 (CP200) vers:all/* () SIPROTEC 5 7SJ85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SJ86 (CP200) vers:all/* () SIPROTEC 5 7SJ86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SK82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SK82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SK85 (CP200) vers:all/* () SIPROTEC 5 7SK85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SL82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7SL82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SL86 (CP200) vers:all/* () SIPROTEC 5 7SL86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SL87 (CP200) vers:all/* () SIPROTEC 5 7SL87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7SS85 (CP200) vers:all/* () SIPROTEC 5 7SS85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7ST85 (CP200) vers:all/* () SIPROTEC 5 7ST85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7ST86 (CP300) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SX82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SX85 (CP300) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7SY82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7UM85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7UT82 (CP100) vers:intdot/>=7.80 (CVE-2024-54017) SIPROTEC 5 7UT82 (CP150) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 7UT85 (CP200) vers:all/* () SIPROTEC 5 7UT85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7UT86 (CP200) vers:all/* () SIPROTEC 5 7UT86 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7UT87 (CP200) vers:all/* () SIPROTEC 5 7UT87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7VE85 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7VK87 (CP200) vers:all/* () SIPROTEC 5 7VK87 (CP300) vers:intdot/>=7.80|<11.0 (CVE-2024-54017) SIPROTEC 5 7VU85 (CP300) vers:intdot/<11.0 (CVE-2024-54017) SIPROTEC 5 Compact 7SX800 (CP050) vers:intdot/<11.0 (CVE-2024-54017) CVSS Vendor Equipment Vulnerabilities v3 5.3 Siemens Siemens SIPROTEC 5 Small Space of Random Values Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Germany Vulnerabilities Expand All + CVE-2024-54017 Affected devices do not use sufficiently random values to create session identifiers. This could allow an unauthenticated remote attacker to brute force a session identifier and gain read access to limited information from the web server without authorization. View CVE Details Affected Products Siemens SIPROTEC 5 Vendor:Siemens Product Version:SIPROTEC 5 6MD84 (CP300), SIPROTEC 5 6MD85 (CP300), SIPROTEC 5 6MD86 (CP300), SIPROTEC 5 6MD89 (CP300), SIPROTEC 5 6MU85 (CP300), SIPROTEC 5 7KE85 (CP300), SIPROTEC 5 7SA82 (CP100), SIPROTEC 5 7SA82 (CP150), SIPROTEC 5 7SA86 (CP300), SIPROTEC 5 7SA87 (CP300), SIPROTEC 5 7SD82 (CP100), SIPROTEC 5 7SD82 (CP150), SIPROTEC 5 7SD86 (CP300), SIPROTEC 5 7SD87 (CP300), SIPROTEC 5 7SJ81 (CP100), SIPROTEC 5 7SJ81 (CP150), SIPROTEC 5 7SJ82 (CP100), SIPROTEC 5 7SJ82 (CP150), SIPROTEC 5 7SJ85 (CP300), SIPROTEC 5 7SJ86 (CP300), SIPROTEC 5 7SK82 (CP100), SIPROTEC 5 7SK82 (CP150), SIPROTEC 5 7SK85 (CP300), SIPROTEC 5 7SL82 (CP100), SIPROTEC 5 7SL82 (CP150), SIPROTEC 5 7SL86 (CP300), SIPROTEC 5 7SL87 (CP300), SIPROTEC 5 7SS85 (CP300), SIPROTEC 5 7ST85 (CP300), SIPROTEC 5 7ST86 (CP300), SIPROTEC 5 7SX82 (CP150), SIPROTEC 5 7SX85 (CP300), SIPROTEC 5 7SY82 (CP150), SIPROTEC 5 7UM85 (CP300), SIPROTEC 5 7UT82 (CP100), SIPROTEC 5 7UT82 (CP150), SIPROTEC 5 7UT85 (CP300), SIPROTEC 5 7UT86 (CP300), SIPROTEC 5 7UT87 (CP300), SIPROTEC 5 7VE85 (CP300), SIPROTEC 5 7VK87 (CP300), SIPROTEC 5 7VU85 (CP300), SIPROTEC 5 Compact 7SX800 (CP050) Product Status:known_affected, known_not_affected Remediations None availableCurrently no fix is available Vendor fixUpdate to V11.0 or later versionhttps://support.industry.siemens.com/cs/ww/en/view/109814150/ Vendor fixUpdate to V11.0 or later versionhttps://support.industry.siemens.com/cs/ww/en/view/109757433/ Vendor fixUpdate to V11.0 or later versionhttps://support.industry.siemens.com/cs/ww/en/view/109796884/ Relevant CWE: CWE-334 Small Space of Random Values Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Acknowledgments Siemens ProductCERT reported this vulnerability to CISA. SEC Consult Vulnerability Lab reported this vulnerability to Siemens. General Recommendations Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment. Recommended security guidel
Indicators of Compromise
- cve — CVE-2024-54017