CVE-2024-53648 – This vulnerability affects multiple Siemens SIP... (How to Fix)

Q: What is the severity of CVE-2024-53648?

CVE-2024-53648 has a CVSS score of 6.8 (MEDIUM). This vulnerability affects multiple Siemens SIPROTEC 5 protection relay devices. It allows unauthenticated attackers with physical access to execute arbitrary commands via an exposed development shell interface. The vulnerability impacts numerous device models across various hardware platforms (CP050, CP100, CP150, CP200, CP300).

📋 TL;DR

This vulnerability affects multiple Siemens SIPROTEC 5 protection relay devices. It allows unauthenticated attackers with physical access to execute arbitrary commands via an exposed development shell interface. The vulnerability impacts numerous device models across various hardware platforms (CP050, CP100, CP150, CP200, CP300).

💻 Affected Systems

Products:

SIPROTEC 5 6MD84
SIPROTEC 5 6MD85
SIPROTEC 5 6MD86
SIPROTEC 5 6MD89
SIPROTEC 5 6MU85
SIPROTEC 5 7KE85
SIPROTEC 5 7SA82
SIPROTEC 5 7SA86
SIPROTEC 5 7SA87
SIPROTEC 5 7SD82
SIPROTEC 5 7SD86
SIPROTEC 5 7SD87
SIPROTEC 5 7SJ81
SIPROTEC 5 7SJ82
SIPROTEC 5 7SJ85
SIPROTEC 5 7SJ86
SIPROTEC 5 7SK82
SIPROTEC 5 7SK85
SIPROTEC 5 7SL82
SIPROTEC 5 7SL86
SIPROTEC 5 7SL87
SIPROTEC 5 7SS85
SIPROTEC 5 7ST85
SIPROTEC 5 7ST86
SIPROTEC 5 7SX82
SIPROTEC 5 7SX85
SIPROTEC 5 7SY82
SIPROTEC 5 7UM85
SIPROTEC 5 7UT82
SIPROTEC 5 7UT85
SIPROTEC 5 7UT86
SIPROTEC 5 7UT87
SIPROTEC 5 7VE85
SIPROTEC 5 7VK87
SIPROTEC 5 7VU85
SIPROTEC 5 Compact 7SX800

Versions: Varies by product - generally versions below V9.90, V10.0, or V8.90 depending on specific model and hardware platform

Operating Systems: Embedded device firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects specific hardware platforms (CP050, CP100, CP150, CP200, CP300) with version dependencies. Some CP200 models are affected in all versions.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with physical access could gain complete control of the device, potentially disrupting critical power grid operations, modifying protection settings, or using the device as a pivot point into the operational technology network.

🟠

Likely Case

Physical access exploitation leading to device compromise, configuration changes, or denial of service affecting power system protection functions.

🟢

If Mitigated

With proper physical security controls, the risk is significantly reduced as exploitation requires direct physical access to device interfaces.

🌐 Internet-Facing: LOW - Exploitation requires physical access to device interfaces, not network connectivity.

🏢 Internal Only: MEDIUM - While requiring physical access, these devices are often deployed in substations where physical security may be less stringent than data centers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires physical access to device interfaces but no authentication. The development shell appears to be accessible via physical ports on affected devices.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V9.90, V10.0, or V8.90 depending on specific product and hardware platform

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-687955.html

Restart Required: Yes

Instructions:

1. Identify affected SIPROTEC 5 devices and their current firmware versions. 2. Download appropriate firmware updates from Siemens Industry Online Support. 3. Follow Siemens update procedures for protection relays. 4. Apply firmware updates to affected devices. 5. Verify successful update and device functionality.

🔧 Temporary Workarounds

Physical Security Controls

all

Implement strict physical access controls to prevent unauthorized access to device interfaces

Physical Port Disablement

all

Physically secure or disable unused physical interfaces on affected devices

🧯 If You Can't Patch

Implement enhanced physical security measures including access controls, surveillance, and tamper-evident seals
Isolate affected devices in secure enclosures with restricted physical access

🔍 How to Verify

Check if Vulnerable:

Check device model and firmware version via DIGSI 5 engineering tool or device display. Compare against affected versions listed in Siemens advisory SSA-687955.

Check Version:

Use DIGSI 5 engineering software to read device information or check device display for firmware version

Verify Fix Applied:

Verify firmware version has been updated to V9.90, V10.0, or V8.90 (as applicable) using DIGSI 5 or device display.

📡 Detection & Monitoring

Log Indicators:

Unexpected physical access to device locations
Unauthorized configuration changes
Device restart events

Network Indicators:

Unusual network traffic from affected devices
Configuration change alerts

SIEM Query:

Search for: device_model:SIPROTEC* AND (event_type:configuration_change OR event_type:device_restart) from unauthorized sources

📊 Metadata

CVE ID: CVE-2024-53648

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-489

EPSS Score: 0.08% exploit probability (22.8th percentile)

Published: February 11, 2025

Last Updated: November 11, 2025

🔗 References

https://cert-portal.siemens.com/productcert/html/ssa-687955.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53648, you might also want to check these: