Full Report
A sensitive data exposure vulnerability in SIPROTEC 5 can allow an attacker to retrieve sensitive session data from browser history, logs, or other storage mechanisms, potentially leading to unauthorized access. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Sensitive Data Exposure in Siemens SIPROTEC 5
## CVE Details
- **CVE ID:** CVE-2025-40742
- **CVSS Score:**
- CVSS v4.0: 6.0 (Medium)
- CVSS v3.1: 5.3 (Medium)
- **CWE:** CWE-598: Use of GET Request Method With Sensitive Query Strings
## Affected Systems
- **Products:** SIPROTEC 5 High-Voltage Protection, Automation, and Monitoring Devices.
- **Versions:** All versions of the following CP100, CP150, and CP300 series hardware:
- **CP100 Devices:** 7SA82, 7SD82, 7SJ81, 7SJ82, 7SK82, 7SL82, 7UT82.
- **CP150 Devices:** 7SA82, 7SD82, 7SJ81, 7SJ82, 7SK82, 7SL82, 7SX82, 7SY82, 7UT82.
- **CP300 Devices:** 6MD84, 6MD85, and related derivatives.
- **Configurations:** Devices utilizing the web-based management interface for certain functionalities.
## Vulnerability Description
Affected SIPROTEC 5 devices utilize the HTTP GET method to transmit sensitive session identifiers within the URL query strings. Because URLs are frequently cached or recorded by infrastructure, an attacker with access to browser history, proxy logs, or other local storage mechanisms could retrieve these session tokens. This exposure potentially allows for session hijacking and unauthorized access to the device's management interface.
## Exploitation
- **Status:** Not exploited in the wild; no Public PoC currently available.
- **Complexity:** High (requires access to logs, history, or a victim's browser environment).
- **Attack Vector:** Network (though successful exploitation requires user interaction/access to secondary data sources).
## Impact
- **Confidentiality:** High (Session tokens and potentially sensitive administrative access).
- **Integrity:** None (Directly).
- **Availability:** None.
## Remediation
### Patches
- **No fixes are currently available.** Siemens is currently preparing firmware updates to address this vulnerability across the SIPROTEC 5 product line.
### Workarounds
- **Session Management:** Always log out of the web interface and close the browser immediately after use.
- **Browser Hygiene:** Regularly clear browser history and cache after accessing device management pages.
- **Network Segmentation:** Protect network access with firewalls and VPNs; ensure devices are not accessible from untrusted networks.
- **Operational Guidelines:** Adhere to Siemens’ grid security guidelines available at hxxps://www.siemens[.]com/gridsecurity.
## Detection
- **Indicators of Compromise:** Unusual administrative activity originating from unexpected IP addresses that match active or recently closed sessions.
- **Detection Methods and Tools:** Monitor web server logs and proxy logs for sensitive session identifiers appearing in GET request URLs.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-904646.html
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories