Skip to main content

SIPROTEC 5 EUVDEUVD-2025-210083

| CVE-2025-40808 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-09 siemens GHSA-37wv-74x7-5f3m
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 10:37 vuln.today
CVSS changed
Jun 09, 2026 - 10:22 NVD
6.1 (MEDIUM) 6.9 (MEDIUM)

DescriptionCVE.org

A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions), SIPROTEC 5 6MD86 (CP200) (All versions), SIPROTEC 5 6MD86 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) (All versions), SIPROTEC 5 6MU85 (CP300) (All versions), SIPROTEC 5 7KE85 (CP200) (All versions), SIPROTEC 5 7KE85 (CP300) (All versions), SIPROTEC 5 7SA82 (CP100) (All versions), SIPROTEC 5 7SA82 (CP150) (All versions), SIPROTEC 5 7SA86 (CP200) (All versions), SIPROTEC 5 7SA86 (CP300) (All versions), SIPROTEC 5 7SA87 (CP200) (All versions), SIPROTEC 5 7SA87 (CP300) (All versions), SIPROTEC 5 7SD82 (CP100) (All versions), SIPROTEC 5 7SD82 (CP150) (All versions), SIPROTEC 5 7SD86 (CP200) (All versions), SIPROTEC 5 7SD86 (CP300) (All versions), SIPROTEC 5 7SD87 (CP200) (All versions), SIPROTEC 5 7SD87 (CP300) (All versions), SIPROTEC 5 7SJ81 (CP100) (All versions), SIPROTEC 5 7SJ81 (CP150) (All versions), SIPROTEC 5 7SJ82 (CP100) (All versions), SIPROTEC 5 7SJ82 (CP150) (All versions), SIPROTEC 5 7SJ85 (CP200) (All versions), SIPROTEC 5 7SJ85 (CP300) (All versions), SIPROTEC 5 7SJ86 (CP200) (All versions), SIPROTEC 5 7SJ86 (CP300) (All versions), SIPROTEC 5 7SK82 (CP100) (All versions), SIPROTEC 5 7SK82 (CP150) (All versions), SIPROTEC 5 7SK85 (CP200) (All versions), SIPROTEC 5 7SK85 (CP300) (All versions), SIPROTEC 5 7SL82 (CP100) (All versions), SIPROTEC 5 7SL82 (CP150) (All versions), SIPROTEC 5 7SL86 (CP200) (All versions), SIPROTEC 5 7SL86 (CP300) (All versions), SIPROTEC 5 7SL87 (CP200) (All versions), SIPROTEC 5 7SL87 (CP300) (All versions), SIPROTEC 5 7SS85 (CP200) (All versions), SIPROTEC 5 7SS85 (CP300) (All versions), SIPROTEC 5 7ST85 (CP200) (All versions), SIPROTEC 5 7ST85 (CP300) (All versions), SIPROTEC 5 7ST86 (CP300) (All versions), SIPROTEC 5 7SX82 (CP150) (All versions), SIPROTEC 5 7SX85 (CP300) (All versions), SIPROTEC 5 7SY82 (CP150) (All versions), SIPROTEC 5 7UM85 (CP300) (All versions), SIPROTEC 5 7UT82 (CP100) (All versions), SIPROTEC 5 7UT82 (CP150) (All versions), SIPROTEC 5 7UT85 (CP200) (All versions), SIPROTEC 5 7UT85 (CP300) (All versions), SIPROTEC 5 7UT86 (CP200) (All versions), SIPROTEC 5 7UT86 (CP300) (All versions), SIPROTEC 5 7UT87 (CP200) (All versions), SIPROTEC 5 7UT87 (CP300) (All versions), SIPROTEC 5 7VE85 (CP300) (All versions), SIPROTEC 5 7VK87 (CP200) (All versions), SIPROTEC 5 7VK87 (CP300) (All versions), SIPROTEC 5 7VU85 (CP300) (All versions), SIPROTEC 5 Compact 7SX800 (CP050) (All versions). The affected application allows authenticated users to upload arbitrary files using DIGSI 5 protocol. This could allow an attacker to upload malicious configuration files, that could cause denial of service condition and potentially lead to code execution.

AnalysisAI

Unrestricted file upload via the DIGSI 5 engineering protocol in Siemens SIPROTEC 5 protective relays enables authenticated, high-privileged users on an adjacent network to upload malicious configuration files, causing denial of service or potentially achieving code execution on the affected device. All hardware variants (CP050/CP100/CP150/CP200/CP300) across more than 60 distinct SIPROTEC 5 model lines are affected, with no patched firmware version available. No public exploit identified at time of analysis, but the presence of RCE and DoS tags alongside a confirmed CWE-434 root cause makes this a meaningful operational technology (OT) risk in poorly segmented substation environments.

Technical ContextAI

SIPROTEC 5 devices are Siemens protective relays used in power grid substation automation for functions such as distance protection, differential protection, and bay control. DIGSI 5 is Siemens' proprietary engineering software and communication protocol used to configure, parameterize, and manage SIPROTEC 5 hardware. The vulnerability is rooted in CWE-434 (Unrestricted Upload of File with Dangerous Type): the DIGSI 5 protocol interface on the device fails to validate the type, structure, or content of files uploaded by authenticated clients, allowing an operator-level user to submit arbitrary files - including malformed or weaponized configuration payloads - directly to device storage. CPE strings confirm the scope spans all firmware versions across the entire SIPROTEC 5 product family, from 6MD8x bay controllers to 7SA/7SD/7SJ/7SL/7UT/7VK relay variants on CP100 through CP300 hardware.

RemediationAI

No vendor-released patch has been identified at time of analysis - Siemens lists all versions as affected with no fixed firmware version specified in the advisory. Operators should consult the Siemens ProductCERT advisory SSA-139483 at https://cert-portal.siemens.com/productcert/html/ssa-139483.html for updated remediation guidance and monitor for firmware releases. In the interim, the most actionable compensating controls are: (1) Restrict DIGSI 5 protocol access using firewall rules or network ACLs to permit connections only from authorized engineering workstations - this directly limits the adjacent-network attack vector (AV:A); (2) Enforce role-based access control to limit the number of accounts with high-privilege (PR:H) DIGSI 5 access, as this is the required authentication tier for exploitation; (3) Segment substation networks using IEC 62443-compliant zone and conduit architecture to ensure engineering access paths are isolated from corporate IT and internet-facing systems. Note that restricting DIGSI 5 access will impede routine configuration and parameterization workflows - coordination with operations staff is required before implementing port-level controls.

Share

EUVD-2025-210083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy