Full Report
Energy Services from Siemens (previously known as Managed Applications and Services), sell solutions using Elspec G5 devices that allows a person with physical access to the device to reset the Admin password by inserting a USB drive (containing a publicly documented reset string) into a USB port.
Analysis Summary
# Vulnerability: Authentication Bypass in Siemens Energy Services (Elspec G5)
## CVE Details
- **CVE ID:** CVE-2025-59392
- **CVSS Score:**
- CVSS v4.0: 7.0 (High)
- CVSS v3.1: 6.8 (Medium)
- **CWE:** CWE-288: Authentication Bypass Using an Alternate Path or Channel
## Affected Systems
- **Products:** Energy Services (formerly Managed Applications and Services) utilizing Elspec G5DFR devices.
- **Versions:** All versions of Elspec G5 devices through v1.2.2.19.
- **Configurations:** Systems where physical USB ports are accessible to unauthorized individuals.
## Vulnerability Description
The Elspec G5 device contains a hardcoded or publicly documented mechanism for administrative password recovery. An attacker with physical access to the hardware can bypass existing authentication by inserting a USB drive containing a specific, publicly documented reset string. This alternate path allows for a full reset of the "Admin" account password, granting the attacker complete control over the device configuration and data.
## Exploitation
- **Status:** PoC available (Reset string is publicly documented).
- **Complexity:** Low
- **Attack Vector:** Physical
## Impact
- **Confidentiality:** High (Full access to device data and configuration).
- **Integrity:** High (Ability to modify system settings and security parameters).
- **Availability:** High (Ability to lock out legitimate admins or disrupt service).
## Remediation
### Patches
- Update Elspec G5DFR firmware to **V1.2.3.13** or a later version.
### Workarounds
- **Physical Security:** Restrict physical access to the device to authorized personnel only (e.g., locked cabinets or secure rooms).
- **Port Security:** If feasible, physically block or disable unused USB ports to prevent the insertion of unauthorized drives.
- **Grid Resilience:** Ensure multi-level redundant secondary protection schemes are in place as per TSO/DSO regulations to minimize impact on grid reliability.
## Detection
- **Indicators of Compromise:** Unexpected changes to the Admin password or unauthorized configuration modifications.
- **Detection Methods:** Monitor physical access logs (if the facility is badged) and perform periodic audits of administrative account activity and system integrity.
## References
- **Vendor Advisory:** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-734261[.]pdf
- **Release Notes:** hxxps[://]www[.]elspec-ltd[.]com/support/release-notes/g5dfr-release-notes/
- **Siemens ProductCERT:** hxxps[://]www[.]siemens[.]com/cert/advisories