{
	"id": "f2afa87a-dcf1-4064-a2bf-3a6e554750c1",
	"created_at": "2026-04-06T00:17:29.893401Z",
	"updated_at": "2026-04-10T03:20:21.941199Z",
	"deleted_at": null,
	"sha1_hash": "166e8c0e664db2398e81d9095933c4b60ebb1cb0",
	"title": "Siemens SIPROTEC Denial-of-Service Vulnerability | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48262,
	"plain_text": "Siemens SIPROTEC Denial-of-Service Vulnerability | CISA\r\nPublished: 2018-08-27 · Archived: 2026-04-05 17:00:23 UTC\r\nOVERVIEW\r\nSiemens has identified a denial-of-service vulnerability in the SIPROTEC 4 and SIPROTEC Compact devices.\r\nThis vulnerability was reported directly to Siemens by Victor Nikitin from i‑Grids LLC Russia. Siemens has\r\nproduced a new firmware update to mitigate this vulnerability.\r\nThis vulnerability could be exploited remotely.\r\nAFFECTED PRODUCTS\r\nSiemens reports that the vulnerability affects the following versions:\r\nSIPROTEC 4 and SIPROTEC Compact product families\r\nAll devices that include the EN100 Ethernet module version V4.24 or prior.\r\nIMPACT\r\nAn attacker could remotely cause a denial of service by exploiting this vulnerability.\r\nImpact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational\r\nenvironment, architecture, and product implementation.\r\nBACKGROUND\r\nSiemens is a multinational company headquartered in Munich, Germany.\r\nThe affected products, SIPROTEC 4 and SIPROTEC Compact devices, provide a wide range of integrated\r\nprotection, control, measurement, and automation functions for electrical substations and other fields of\r\napplication. The EN100 module is used for enabling IEC 61850 communications with electrical/optical 100 Mbit\r\ninterface for SIPROTEC 4 and SIPROTEC Compact devices. According to Siemens, SIPROTEC devices are\r\ndeployed across several sectors including Energy. Siemens estimates that these products are used worldwide.\r\nVULNERABILITY CHARACTERIZATION\r\nVULNERABILITY OVERVIEW\r\nDENIAL OF SERVICECWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion'),\r\nhttp://cwe.mitre.org/data/definitions/400.html, web site last accessed July 21, 2015.\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-15-202-01\r\nPage 1 of 3\n\nSpecially crafted packets sent to Port 50000/UDP could cause a denial of service of the affected device. A manual\r\nreboot is required to return the device to service.\r\nCVE-2015-5374NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5374, NIST uses this advisory\r\nto create the CVE web site report. This web site will be active sometime after publication of this advisory. has\r\nbeen assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is\r\n(AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?\r\nversion=2\u0026vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, web site last accessed July 21, 2015.\r\nVULNERABILITY DETAILS\r\nEXPLOITABILITY\r\nThis vulnerability could be exploited remotely.\r\nEXISTENCE OF EXPLOIT\r\nNo known public exploits specifically target this vulnerability.\r\nDIFFICULTY\r\nAn attacker with a low skill would be able to exploit this vulnerability.\r\nMITIGATION\r\nSiemens has provided firmware update V4.25 for the EN100 module to fix the vulnerability.\r\nThe firmware update for SIPROTEC 4 can be obtained here:\r\nhttp://www.siemens.com/downloads/siprotec-4\r\nThe firmware update for SIPROTEC Compact can be obtained here:\r\nhttp://www.siemens.com/downloads/siprotec-compact\r\nFor more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security\r\nAdvisory SSA-732541 at the following location:\r\nhttp://www.siemens.com/cert/advisories\r\nICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these\r\nvulnerabilities. Specifically, users should:\r\nConfigure firewall rules to appropriately restrict traffic to affected devices on Port 50000/UDP.\r\nMonitor traffic to affected devices on Port 50000/UDP with an intrusion detection system (IDS).\r\nMinimize network exposure for all control system devices and/or systems, and ensure that they are not\r\naccessible from the Internet.\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-15-202-01\r\nPage 2 of 3\n\nLocate control system networks and remote devices behind firewalls, and isolate them from the business\r\nnetwork.\r\nWhen remote access is required, use secure methods, such as Virtual Private Networks (VPNs),\r\nrecognizing that VPNs may have vulnerabilities and should be updated to the most current version\r\navailable. Also recognize that VPN is only as secure as the connected devices.\r\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying\r\ndefensive measures.\r\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web\r\npage at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available\r\nfor reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth\r\nStrategies.\r\nAdditional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical\r\nInformation Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is\r\navailable for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).\r\nOrganizations observing any suspected malicious activity should follow their established internal procedures and\r\nreport their findings to ICS-CERT for tracking and correlation against other incidents.\r\nSource: https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-15-202-01\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01"
	],
	"report_names": [
		"ICSA-15-202-01"
	],
	"threat_actors": [],
	"ts_created_at": 1775434649,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/166e8c0e664db2398e81d9095933c4b60ebb1cb0.pdf",
		"text": "https://archive.orkl.eu/166e8c0e664db2398e81d9095933c4b60ebb1cb0.txt",
		"img": "https://archive.orkl.eu/166e8c0e664db2398e81d9095933c4b60ebb1cb0.jpg"
	}
}