Full Report
Affected SIPROTEC 5 devices do not properly limit the bandwidth for incoming network packets over their local USB port. This could allow an attacker with physical access to send specially crafted packets with high bandwidth to the affected devices thus forcing them to exhaust their memory and stop responding to any network traffic via the local USB port. Affected devices reset themselves automatically after a successful attack and the protection function is not affected of this vulnerability. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Improper Bandwidth Limitation Over Local USB Port in SIPROTEC 5
## CVE Details
- **CVE ID:** CVE-2025-40570
- **CVSS Score:** 2.4 (Low)
- **CWE:** CWE-770: Allocation of Resources Without Limits or Throttling
## Affected Systems
- **Products:**
- SIPROTEC 5 - CP150 Devices (including 7SA82, 7SD82, 7SL82, 7VK87, 7SA87, 7SD87, 7SL87, 7SA86, 7SD86, 7SL86, 7SJ82, 7SK82, 7SJ85, 7SK85, 7SJ81, 7UT82, 7UT85, 7UT86, 7UT87, 7UM85, 7KE85, 7KE85, 6MD85, 6MD86)
- SIPROTEC 5 - CP300 Devices (7VU85)
- SIPROTEC 5 Compact - CP050 Devices (7SX800)
- **Versions:** All versions < V10.0
- **Configurations:** Devices with an accessible local USB port.
## Vulnerability Description
Affected devices fail to properly throttle or limit the bandwidth of incoming network packets received via the local USB port. A technical flaw in resource management allows the processing of specially crafted, high-bandwidth traffic to consume all available device memory. This results in a Denial of Service (DoS) state specifically affecting network communication over the USB interface.
## Exploitation
- **Status:** Not exploited (No known PoC available at time of report).
- **Complexity:** Low
- **Attack Vector:** Physical (Requires direct physical access to the device's USB port).
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** Low (Affected devices stop responding to USB network traffic and reset automatically; however, the primary **protection functions are not affected**).
## Remediation
### Patches
Siemens recommends updating all affected firmware to **V10.0 or later**.
- **CP150 Devices:** Update to V10.0 [https[:]//support.industry.siemens.com/cs/ww/en/view/109757433/]
- **CP300 Devices:** Update to V10.0 [https[:]//support.industry.siemens.com/cs/ww/en/view/109800399/]
- **CP050 Devices:** Update to V10.0 [https[:]//support.industry.siemens.com/cs/ww/en/view/109796884/]
### Workarounds
- **Physical Security:** Strictly limit and monitor physical access to the devices to prevent unauthorized USB connections.
- **Redundancy:** Ensure multi-level redundant secondary protection schemes are in place as per grid design regulations to minimize impact on grid reliability.
## Detection
- **Indicators of Compromise:** Unexplained device resets and temporary loss of communication via the local USB service interface.
- **Detection methods and tools:** Physical inspection for unauthorized hardware connected to USB ports; monitoring device system logs for "Out of Memory" errors or watchdog resets following physical maintenance activities.
## References
- **Vendor Advisory:** [https[:]//cert-portal.siemens.com/productcert/pdf/ssa-894058.pdf]
- **Siemens Grid Security Guidelines:** [https[:]//www.siemens.com/gridsecurity]
- **Siemens ProductCERT:** [https[:]//www.siemens.com/cert/advisories]