PatchSiren cyber security CVE debrief
CVE-2024-54017 Cert Portal CVE debrief
CVE-2024-54017 describes insufficient randomness in session identifier generation on affected Siemens SIPROTEC 5 devices. An unauthenticated remote attacker could brute-force a valid session identifier and read limited information exposed by the web server without authorization. The supplied advisory corpus rates this as medium severity and ties it to a network-reachable information-disclosure condition rather than code execution or integrity impact.
- Vendor
- Cert Portal
- Product
- Siemens SIPROTEC 5 6MD84 (CP300) vers:intdot/<11.0 SIPROTEC 5 6MD85 (CP200) vers:all/* SIPROTEC 5 6MD85 (CP300) vers:intdot/>=7.80|<11.0 SIPROTEC 5 6MD86 (CP200) SIPROTEC 5 6MD86 (CP300) SIPROTEC 5 6MD89 (CP300) SIPROTEC 5 6MU85 (CP300) SIPROTEC 5 7KE85 (CP200) SIPROTEC 5 7KE85 (CP300) SIPROTEC 5 7SA82 (CP100) vers:intdot/>=7.80 SIPROTEC 5 7SA82 (CP150) SIPROTEC 5 7SA84 (CP200) SIPROTEC 5 7SA86 (CP200) SIPROTEC 5 7SA86 (CP300) SIPROTEC 5 7SA87 (CP200) SIPROTEC 5 7SA87 (CP300) SIPROTEC 5 7SD82 (CP100) SIPROTEC 5 7SD82 (CP150) SIPROTEC 5 7SD84 (CP200) SIPROTEC 5 7SD86 (CP200) SIPROTEC 5 7SD86 (CP300) SIPROTEC 5 7SD87 (CP200) SIPROTEC 5 7SD87 (CP300) SIPROTEC 5 7SJ81 (CP100) SIPROTEC 5 7SJ81 (CP150) SIPROTEC 5 7SJ82 (CP100) SIPROTEC 5 7SJ82 (CP150) SIPROTEC 5 7SJ85 (CP200) SIPROTEC 5 7SJ85 (CP300) SIPROTEC 5 7SJ86 (CP200) SIPROTEC 5 7SJ86 (CP300) SIPROTEC 5 7SK82 (CP100) SIPROTEC 5 7SK82 (CP150) SIPROTEC 5 7SK85 (CP200) SIPROTEC 5 7SK85 (CP300) SIPROTEC 5 7SL82 (CP100) SIPROTEC 5 7SL82 (CP150) SIPROTEC 5 7SL86 (CP200) SIPROTEC 5 7SL86 (CP300) SIPROTEC 5 7SL87 (CP200) SIPROTEC 5 7SL87 (CP300) SIPROTEC 5 7SS85 (CP200) SIPROTEC 5 7SS85 (CP300) SIPROTEC 5 7ST85 (CP200) SIPROTEC 5 7ST85 (CP300) SIPROTEC 5 7ST86 (CP300) SIPROTEC 5 7SX82 (CP150) SIPROTEC 5 7SX85 (CP300) SIPROTEC 5 7SY82 (CP150) SIPROTEC 5 7UM85 (CP300) SIPROTEC 5 7UT82 (CP100) SIPROTEC 5 7UT82 (CP150) SIPROTEC 5 7UT85 (CP200) SIPROTEC 5 7UT85 (CP300) SIPROTEC 5 7UT86 (CP200) SIPROTEC 5 7UT86 (CP300) SIPROTEC 5 7UT87 (CP200) SIPROTEC 5 7UT87 (CP300) SIPROTEC 5 7VE85 (CP300) SIPROTEC 5 7VK87 (CP200) SIPROTEC 5 7VK87 (CP300) SIPROTEC 5 7VU85 (CP300) SIPROTEC 5 Compact 7SX800 (CP050)
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Asset owners, operators, and integrators of the listed Siemens SIPROTEC 5 protection devices should review exposure, especially if the device web interface is reachable from enterprise, remote-access, or service networks. OT security teams should also assess any compensating controls around segmentation, firewalling, and management-plane access.
Technical summary
The advisory corpus states that affected devices do not use sufficiently random values to create session identifiers. Because the attack is network-based, unauthenticated, and does not require user interaction, a remote attacker with web access could attempt to guess session IDs and obtain limited read access to information from the web server. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, and the corpus maps the weakness to CWE-334.
Defensive priority
Medium. The impact is limited to confidentiality, but the issue is remotely reachable and affects a broad set of industrial protection devices; exposed web interfaces should be reviewed promptly.
Recommended defensive actions
- Inventory the affected SIPROTEC 5 models and firmware or version ranges against the Siemens advisory before planning remediation.
- Apply the vendor fix to V11.0 or later where the advisory lists an update path.
- For products listed as having no fix available, restrict or remove web access where possible and use compensating controls such as network segmentation and strict allowlisting.
- Limit exposure of device management and web interfaces to trusted administrative networks only; avoid direct Internet or broadly routed access.
- Review logs and access controls for abnormal web-session activity, repeated authentication attempts, or unexpected access to device information.
- Confirm whether each deployed model actually uses the web interface in your environment, then validate any vendor notes that affect applicability.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-134-13 and the Siemens ProductCERT advisory SSA-786884 referenced in the corpus. The corpus explicitly states that affected devices use insufficiently random session identifiers and that an unauthenticated remote attacker could brute-force a session identifier to gain read access to limited web-server information. The supplied publication date is 2026-05-12, with a CISA republication/update on 2026-05-14.
Official resources
-
CVE-2024-54017 CVE record
CVE.org
-
CVE-2024-54017 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-26-134-13 for CVE-2024-54017 on 2026-05-12 and republished it on 2026-05-14 with Siemens ProductCERT advisory SSA-786884 as the referenced vendor source.