CVE-2024-53649 – This vulnerability in Siemens SIPROTEC 5 protec... (How to Fix)

Q: What is the severity of CVE-2024-53649?

CVE-2024-53649 has a CVSS score of 6.5 (MEDIUM). This vulnerability in Siemens SIPROTEC 5 protection devices allows authenticated remote attackers to read arbitrary files from the filesystem via improper path limitation in the webserver. It affects numerous SIPROTEC 5 models running specific firmware versions. This could expose sensitive configuration data and system information.

📋 TL;DR

This vulnerability in Siemens SIPROTEC 5 protection devices allows authenticated remote attackers to read arbitrary files from the filesystem via improper path limitation in the webserver. It affects numerous SIPROTEC 5 models running specific firmware versions. This could expose sensitive configuration data and system information.

💻 Affected Systems

Products:

SIPROTEC 5 6MD84 (CP300)
SIPROTEC 5 6MD85 (CP300)
SIPROTEC 5 6MD86 (CP300)
SIPROTEC 5 6MD89 (CP300)
SIPROTEC 5 6MU85 (CP300)
SIPROTEC 5 7KE85 (CP300)
SIPROTEC 5 7SA82 (CP100)
SIPROTEC 5 7SA82 (CP150)
SIPROTEC 5 7SA86 (CP300)
SIPROTEC 5 7SA87 (CP300)
SIPROTEC 5 7SD82 (CP100)
SIPROTEC 5 7SD82 (CP150)
SIPROTEC 5 7SD86 (CP300)
SIPROTEC 5 7SD87 (CP300)
SIPROTEC 5 7SJ81 (CP100)
SIPROTEC 5 7SJ81 (CP150)
SIPROTEC 5 7SJ82 (CP100)
SIPROTEC 5 7SJ82 (CP150)
SIPROTEC 5 7SJ85 (CP300)
SIPROTEC 5 7SJ86 (CP300)
SIPROTEC 5 7SK82 (CP100)
SIPROTEC 5 7SK82 (CP150)
SIPROTEC 5 7SK85 (CP300)
SIPROTEC 5 7SL82 (CP100)
SIPROTEC 5 7SL82 (CP150)
SIPROTEC 5 7SL86 (CP300)
SIPROTEC 5 7SL87 (CP300)
SIPROTEC 5 7SS85 (CP300)
SIPROTEC 5 7ST85 (CP300)
SIPROTEC 5 7ST86 (CP300)
SIPROTEC 5 7SX82 (CP150)
SIPROTEC 5 7SX85 (CP300)
SIPROTEC 5 7SY82 (CP150)
SIPROTEC 5 7UM85 (CP300)
SIPROTEC 5 7UT82 (CP100)
SIPROTEC 5 7UT82 (CP150)
SIPROTEC 5 7UT85 (CP300)
SIPROTEC 5 7UT86 (CP300)
SIPROTEC 5 7UT87 (CP300)
SIPROTEC 5 7VE85 (CP300)
SIPROTEC 5 7VK87 (CP300)
SIPROTEC 5 7VU85 (CP300)
SIPROTEC 5 Compact 7SX800 (CP050)

Versions: V7.80 to V9.80 (varies by model, see description for specifics)

Operating Systems: Embedded/Proprietary

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with web server enabled. Authentication is required for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could read sensitive system files, configuration data, credentials, or proprietary information, potentially enabling further attacks or operational disruption.

🟠

Likely Case

Attackers with valid credentials could access configuration files, logs, or other sensitive data that could be used for reconnaissance or to facilitate other attacks.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to authorized users who might misuse their legitimate access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access to the web interface. The vulnerability is a directory traversal/file inclusion issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V9.80 for most models, V9.68 for 6MD89 and 7ST85, V8.90 for CP100 models

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-194557.html

Restart Required: Yes

Instructions:

1. Check device model and current firmware version. 2. Download appropriate firmware update from Siemens support portal. 3. Follow Siemens firmware update procedures for SIPROTEC 5 devices. 4. Verify successful update and restart device.

🔧 Temporary Workarounds

Disable Web Server

all

Disable the web server interface if not required for operations.

Configuration via DIGSI 5 software: Disable web server in device settings

Restrict Network Access

all

Implement network segmentation and firewall rules to limit access to the web interface.

Firewall rules to allow only trusted IPs to port 80/443

🧯 If You Can't Patch

Implement strict access controls and network segmentation to limit who can access the web interface.
Monitor for unusual file access patterns or authentication attempts to the web interface.

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via DIGSI 5 software or web interface and compare with affected versions list.

Check Version:

Via DIGSI 5 software or web interface: Check device information/firmware version

Verify Fix Applied:

Verify firmware version is updated to patched version (V9.80 or higher for most models).

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in web server logs
Multiple failed authentication attempts followed by successful access

Network Indicators:

HTTP requests with directory traversal patterns (e.g., ../ sequences) to the device web interface

SIEM Query:

source="webserver_logs" AND (uri="*../*" OR uri="*..\\*" OR status=200 AND uri MATCHES "*\.(cfg|ini|txt|log)")

📊 Metadata

CVE ID: CVE-2024-53649

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-552

EPSS Score: 0.11% exploit probability (29.9th percentile)

Published: January 14, 2025

Last Updated: November 11, 2025

🔗 References

https://cert-portal.siemens.com/productcert/html/ssa-194557.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53649, you might also want to check these: