CISA flags 48 Siemens SIPROTEC 5 relay variants
Authenticated access lowers the internet-noise risk, but it does not help operators whose protection relays still lack clean fixes.
TL;DR
CISA published a Siemens advisory for CVE-2025-40808, an authenticated DIGSI 5 arbitrary file-upload flaw affecting 48 SIPROTEC 5 protection relay models across CP050, CP100, CP150, CP200 and CP300 series. DIB, municipal and utility contractors should move covered devices to V9.90 or later, with 7ST85 and 7ST86 on CP300 requiring V10.00 or later. Siemens says some fixes are still being prepared, and the patch map is doing too much of the risk-management work.
CISA's advisory puts a familiar OT problem in a large package: SIPROTEC 5 devices using the DIGSI 5 protocol allow authenticated users to upload arbitrary files, including malicious configuration files that could cause denial of service and potentially lead to code execution. The CVSS 3.1 score is 6.1, so this is not a headline-grabbing unauthenticated internet worm. It is worse in the places that matter: substations, distribution environments and contractor-operated power systems where an authenticated account, a compromised engineering workstation or a bad supplier path can touch protection equipment.
The affected set is broad. CISA lists 48 Siemens SIPROTEC 5 protection relay models across CP050, CP100, CP150, CP200 and CP300 variants. The main remediation is firmware V9.90 or later, which adds an allow-list feature to restrict arbitrary file uploads. CP300 devices 7ST85 and 7ST86 are called out separately for V10.00 or later. Siemens also recommends password protection for DIGSI connections, customer PKI-signed certificates for DIGSI access, and role-based access control where supported in SIPROTEC 5 firmware V7.80 and higher.
The uncomfortable detail is the uneven endpoint. Siemens says it is preparing fix versions for products where fixes are not available, and the remediation table also includes statuses of no fix planned and none available. That is not a reason to ignore the advisory. It is the reason asset owners need a device-by-device patch decision, not a generic "SIPROTEC 5 handled" ticket closure.
For defense-industrial-base suppliers, municipal operators and utility contractors, the Monday work is inventory first: identify every affected CP-series relay, confirm whether V9.90 or V10.00 applies, and document any device stuck behind the fix timeline with compensating controls. The authenticated-only vector narrows the threat model, but it points straight at access governance around DIGSI engineering paths. In OT, that is usually where the spreadsheet says the control exists and the network diagram starts arguing back.
Published ·Deep Fathom