CVE-2024-38867 – This vulnerability affects Siemens SIPROTEC 5 p... (How to Fix)

Q: What is the severity of CVE-2024-38867?

CVE-2024-38867 has a CVSS score of 5.9 (MEDIUM). This vulnerability affects Siemens SIPROTEC 5 protection devices and communication modules, allowing man-in-the-middle attackers to decrypt sensitive data transmitted over TLS connections. The issue stems from support for weak ciphers on web (443/tcp), DIGSI 5 (4443/tcp), and syslog TLS ports. Organizations using affected devices in critical infrastructure environments are at risk.

📋 TL;DR

This vulnerability affects Siemens SIPROTEC 5 protection devices and communication modules, allowing man-in-the-middle attackers to decrypt sensitive data transmitted over TLS connections. The issue stems from support for weak ciphers on web (443/tcp), DIGSI 5 (4443/tcp), and syslog TLS ports. Organizations using affected devices in critical infrastructure environments are at risk.

💻 Affected Systems

Products:

SIPROTEC 5 6MD84
SIPROTEC 5 6MD85
SIPROTEC 5 6MD86
SIPROTEC 5 6MD89
SIPROTEC 5 6MU85
SIPROTEC 5 7KE85
SIPROTEC 5 7SA82
SIPROTEC 5 7SA84
SIPROTEC 5 7SA86
SIPROTEC 5 7SA87
SIPROTEC 5 7SD82
SIPROTEC 5 7SD84
SIPROTEC 5 7SD86
SIPROTEC 5 7SD87
SIPROTEC 5 7SJ81
SIPROTEC 5 7SJ82
SIPROTEC 5 7SJ85
SIPROTEC 5 7SJ86
SIPROTEC 5 7SK82
SIPROTEC 5 7SK85
SIPROTEC 5 7SL82
SIPROTEC 5 7SL86
SIPROTEC 5 7SL87
SIPROTEC 5 7SS85
SIPROTEC 5 7ST85
SIPROTEC 5 7ST86
SIPROTEC 5 7SX82
SIPROTEC 5 7SX85
SIPROTEC 5 7UM85
SIPROTEC 5 7UT82
SIPROTEC 5 7UT85
SIPROTEC 5 7UT86
SIPROTEC 5 7UT87
SIPROTEC 5 7VE85
SIPROTEC 5 7VK87
SIPROTEC 5 7VU85
SIPROTEC 5 Communication Module ETH-BA-2EL
SIPROTEC 5 Communication Module ETH-BB-2FO
SIPROTEC 5 Communication Module ETH-BD-2FO
SIPROTEC 5 Compact 7SX800

Versions: Varies by product - generally versions below V9.64 for CP300 devices, V9.65 for CP150 devices, V8.90 for CP100 devices, and all versions for CP200 devices

Operating Systems: Embedded/RTOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects multiple device types with different CPU platforms (CP050, CP100, CP150, CP200, CP300). Communication modules are vulnerable when installed on affected devices.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of protection device communications, allowing attackers to intercept and manipulate grid control commands, potentially causing physical damage to electrical infrastructure.

🟠

Likely Case

Unauthorized access to sensitive operational data, configuration details, and potential manipulation of device settings through intercepted communications.

🟢

If Mitigated

Limited impact if strong network segmentation and monitoring are in place, though data confidentiality remains compromised.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires man-in-the-middle position and ability to force weak cipher negotiation. No authentication required for initial connection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V9.64 for CP300 devices, V9.65 for CP150 devices, V8.90 for CP100 devices, V9.62 for communication modules

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-750499.html

Restart Required: Yes

Instructions:

1. Download firmware updates from Siemens Industry Online Support. 2. Follow device-specific update procedures using DIGSI 5 engineering software. 3. Apply updates during maintenance windows as devices may reboot. 4. Verify successful update through device diagnostics.

🔧 Temporary Workarounds

Network Segmentation and Access Control

all

Restrict access to affected ports (443, 4443, syslog TLS) using firewall rules and network segmentation

Disable Weak Cipher Suites

all

Configure devices to use only strong TLS ciphers if supported by current firmware

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected devices from untrusted networks
Deploy network monitoring and intrusion detection systems to detect man-in-the-middle attacks

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via DIGSI 5 software or device web interface and compare against patched versions listed in advisory

Check Version:

Use DIGSI 5 software: Connect to device → Device → Device Information → Firmware Version

Verify Fix Applied:

Verify firmware version is at or above patched version and test TLS connections using tools like OpenSSL to confirm weak ciphers are rejected

📡 Detection & Monitoring

Log Indicators:

Unusual TLS handshake failures
Multiple connection attempts with different cipher suites
Unexpected source IP addresses connecting to device management ports

Network Indicators:

TLS connections using weak ciphers (RC4, DES, EXPORT ciphers)
Unusual traffic patterns on ports 443/tcp, 4443/tcp, or syslog TLS port

SIEM Query:

source_port IN (443, 4443) AND tls_cipher_suite IN (weak_cipher_list) AND dest_ip IN (affected_devices)

📊 Metadata

CVE ID: CVE-2024-38867

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-326

Published: July 9, 2024

Last Updated: November 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38867, you might also want to check these: