CVE-2024-54015 – This vulnerability allows an unauthenticated re... (How to Fix)

Q: How do I fix CVE-2024-54015?

1. Identify the specific SIPROTEC 5 model and current firmware version. 2. Download the patched firmware version from Siemens support portal. 3. Follow Siemens' official update procedures for the device, typically via engineering software like DIGSI 5. 4. Verify the update was successful by checking the firmware version.

Q: What is the severity of CVE-2024-54015?

CVE-2024-54015 has a CVSS score of 7.5 (HIGH). This vulnerability allows an unauthenticated remote attacker to retrieve sensitive information from affected SIPROTEC 5 devices using SNMPv2 GET requests with default credentials, due to improper validation. It impacts various SIPROTEC 5 models and communication modules running specific vulnerable versions, primarily in industrial control systems.

📋 TL;DR

This vulnerability allows an unauthenticated remote attacker to retrieve sensitive information from affected SIPROTEC 5 devices using SNMPv2 GET requests with default credentials, due to improper validation. It impacts various SIPROTEC 5 models and communication modules running specific vulnerable versions, primarily in industrial control systems.

💻 Affected Systems

Products:

SIPROTEC 5 6MD84 (CP300)
SIPROTEC 5 6MD85 (CP300)
SIPROTEC 5 6MD86 (CP300)
SIPROTEC 5 6MD89 (CP300)
SIPROTEC 5 6MU85 (CP300)
SIPROTEC 5 7KE85 (CP300)
SIPROTEC 5 7SA82 (CP150)
SIPROTEC 5 7SA86 (CP300)
SIPROTEC 5 7SA87 (CP300)
SIPROTEC 5 7SD82 (CP150)
SIPROTEC 5 7SD86 (CP300)
SIPROTEC 5 7SD87 (CP300)
SIPROTEC 5 7SJ81 (CP150)
SIPROTEC 5 7SJ82 (CP150)
SIPROTEC 5 7SJ85 (CP300)
SIPROTEC 5 7SJ86 (CP300)
SIPROTEC 5 7SK82 (CP150)
SIPROTEC 5 7SK85 (CP300)
SIPROTEC 5 7SL82 (CP150)
SIPROTEC 5 7SL86 (CP300)
SIPROTEC 5 7SL87 (CP300)
SIPROTEC 5 7SS85 (CP300)
SIPROTEC 5 7ST85 (CP300)
SIPROTEC 5 7ST86 (CP300)
SIPROTEC 5 7SX82 (CP150)
SIPROTEC 5 7SX85 (CP300)
SIPROTEC 5 7SY82 (CP150)
SIPROTEC 5 7UM85 (CP300)
SIPROTEC 5 7UT82 (CP150)
SIPROTEC 5 7UT85 (CP300)
SIPROTEC 5 7UT86 (CP300)
SIPROTEC 5 7UT87 (CP300)
SIPROTEC 5 7VE85 (CP300)
SIPROTEC 5 7VK87 (CP300)
SIPROTEC 5 7VU85 (CP300)
SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.2)
SIPROTEC 5 Communication Module ETH-BB-2FO (Rev. 2)
SIPROTEC 5 Communication Module ETH-BD-2FO
SIPROTEC 5 Compact 7SX800 (CP050)

Versions: Varies by product; generally versions < V9.90, with some exceptions like >= V8.80 < V9.90, < V9.68, or < V10.0 as specified in the description.

Operating Systems: Not applicable; these are embedded devices with proprietary firmware.

Default Config Vulnerable: ⚠️ Yes

Notes: Devices are vulnerable when SNMP is enabled with default credentials, which is common in default configurations. Specific version ranges differ per model; refer to the CVE description for exact details.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could exfiltrate sensitive configuration data, potentially leading to operational disruption, unauthorized access to critical infrastructure, or further attacks on the network.

🟠

Likely Case

Information disclosure of device settings or network details, which could be used for reconnaissance or to facilitate other attacks.

🟢

If Mitigated

Limited impact if SNMP is disabled, default credentials are changed, or network access is restricted, though residual risk may exist from misconfigurations.

🌐 Internet-Facing: HIGH, as unauthenticated remote exploitation is possible if devices are exposed to the internet with default SNMP settings.

🏢 Internal Only: MEDIUM, as internal attackers or compromised systems could exploit it, but network segmentation and access controls can reduce likelihood.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward using standard SNMP tools if default credentials are present and SNMP is accessible, but requires network access to the device.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to versions V9.90 or higher for most models, or specific versions like V9.68, V9.83, or V10.0 as applicable per product.

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-767615.html

Restart Required: No

Instructions:

1. Identify the specific SIPROTEC 5 model and current firmware version. 2. Download the patched firmware version from Siemens support portal. 3. Follow Siemens' official update procedures for the device, typically via engineering software like DIGSI 5. 4. Verify the update was successful by checking the firmware version.

🔧 Temporary Workarounds

Disable SNMP or restrict access

all

If SNMP is not required, disable it on the device. If needed, restrict SNMP access to trusted IPs and change default credentials.

Configure via device management interface: set SNMP to disabled or adjust access control lists.

Change default SNMP credentials

all

Modify the default community strings to strong, unique values to prevent unauthorized access.

Use device configuration tool to update SNMP community strings from defaults.

🧯 If You Can't Patch

Implement network segmentation to isolate affected devices from untrusted networks.
Monitor SNMP traffic for unauthorized access attempts and review logs regularly.

🔍 How to Verify

Check if Vulnerable:

Check the device firmware version via the device interface or management software and compare against patched versions listed in the advisory. Also verify if SNMP is enabled with default credentials.

Check Version:

Use DIGSI 5 or device web interface to view firmware version; no universal command as it varies by model.

Verify Fix Applied:

After updating, confirm the firmware version is at or above the patched version. Test SNMP access with default credentials to ensure it is blocked or requires authentication.

📡 Detection & Monitoring

Log Indicators:

Unusual SNMP GET requests from unauthorized IPs, especially with default community strings.
Failed authentication attempts or access logs showing SNMP queries.

Network Indicators:

SNMP traffic (UDP port 161) from unexpected sources or to vulnerable devices.
Patterns of repeated SNMP queries indicative of scanning.

SIEM Query:

Example: 'source_ip: * AND destination_port: 161 AND protocol: UDP' filtered for known vulnerable devices.

📊 Metadata

CVE ID: CVE-2024-54015

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-1392

EPSS Score: 0.15% exploit probability (35.5th percentile)

Published: February 11, 2025

Last Updated: August 12, 2025

🔗 References

https://cert-portal.siemens.com/productcert/html/ssa-767615.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54015, you might also want to check these: