CVE-2024-38867 Siemens CVE debrief

Who should care

Operators of Siemens SIPROTEC 5 protection and control devices in electrical substations and industrial environments; OT security teams responsible for securing IEC 61850 and protection relay communications; compliance officers managing NERC CIP or similar critical infrastructure security requirements.

Technical summary

Affected SIPROTEC 5 devices accept weak TLS cipher suites on web (443/tcp), DIGSI 5 (4443/tcp), and syslog-over-TLS ports. This cryptographic weakness allows network-positioned attackers to downgrade connections and decrypt traffic. The vulnerability affects 69 product variants across multiple device families and communication modules. Siemens has released firmware updates for many variants; however, 22 products have no planned fix. Network access restrictions serve as the primary compensating control for unpatched devices.

Defensive priority

medium

Recommended defensive actions

• Apply vendor firmware updates where available: V8.89+ or V8.90+ for V8.xx variants; V9.62+, V9.64+, or V9.65+ for V9.xx variants per Siemens guidance.
• Restrict network access to affected ports (443/tcp, 4443/tcp, and configurable syslog-over-TLS ports) to trusted IP addresses only as a compensating control.
• Monitor for products marked 'no fix planned' and plan replacement or additional network segmentation for these variants.
• Review TLS configuration on affected devices to ensure only strong cipher suites are enabled after patching.

Evidence notes

CISA CSAF advisory ICSA-24-193-14 documents weak cipher support on multiple ports. Siemens SSA-750499 provides vendor remediation guidance. The 2025-11-11 revision added fixes for four additional CP100-based product variants.

Official resources