CVE-2024-53649 Siemens CVE debrief

Who should care

Organizations operating Siemens SIPROTEC 5 protective relays in electrical power systems, including electric utilities, industrial facilities with on-site generation, substation operators, and critical infrastructure providers. Security teams responsible for OT/ICS environments, power system protection engineers, and asset owners with SIPROTEC 5 deployments should prioritize assessment and patching. The authenticated nature of this vulnerability means organizations with strong access controls may have reduced immediate risk, but the high confidentiality impact and ease of exploitation once authenticated warrant prompt attention.

Technical summary

CVE-2024-53649 is a path traversal vulnerability (CWE-22) in the embedded web server of Siemens SIPROTEC 5 protective relay devices. The web server fails to properly validate and restrict file system paths, allowing an authenticated attacker to traverse the directory structure and read arbitrary files from the device filesystem. This vulnerability requires network access to the device's web interface and valid credentials. The attack complexity is low with no user interaction required. The confidentiality impact is rated high as sensitive configuration files, credentials, or operational data may be exposed, while integrity and availability impacts are none. The vulnerability affects 43 product variants across the SIPROTEC 5 family with different CPU modules (CP050, CP100, CP150, CP300). Siemens has released firmware updates with varying fix versions: V8.90 for older CP100-based devices, V9.68 for 6MD89 and 7ST85, and V9.80 for most other affected products. A mitigation of disabling the web server is available for all affected devices if patching is not immediately feasible.

Defensive priority

high

Recommended defensive actions

• Apply vendor-supplied firmware updates: update SIPROTEC 5 6MD89 and 7ST85 to V9.68 or later; update SIPROTEC 5 6MD84, 7SA82 (CP150), 7SD82 (CP150), 7SJ81 (CP150), 7SJ82 (CP150), 7SK82 (CP150), 7SL82 (CP150), 7ST86, 7SX82
• 7SY82
• 7UT82 (CP150)
• 7SX800 to V9.80 or later; update SIPROTEC 5 6MD85
• 6MD86
• 6MU85
• 7KE85
• 7SA86 (CP300), 7SA87 (CP300), 7SD86 (CP300), 7SD87 (CP300), 7SJ85 (CP300), 7SJ86 (CP300), 7SK85 (CP300), 7SL86 (CP300), 7SL87 (CP300), 7SS85 (CP300), 7SX85 (CP300), 7UM85 (CP300), 7UT85 (CP300), 7UT86 (CP300), 7UT87 (CP3

Evidence notes

Vulnerability description and affected products confirmed through CISA CSAF advisory ICSA-25-016-04 and Siemens security advisory SSA-194557. CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N sourced from CISA CSAF document. Remediation timeline shows fixes released across multiple dates: February 11, 2025 (6MD89), March 11, 2025 (7ST85 and mitigation added), and November 11, 2025 (multiple CP100-based devices including 7SA82, 7SD82, 7SJ81, 7SJ82, 7SK82, 7SL82, 7UT82).

Official resources