High-Severity DoS in Siemens SIPROTEC 4 (CVE-2024-52504) with Limited Fixes

Siemens has confirmed a widespread denial-of-service (DoS) vulnerability affecting multiple models in the SIPROTEC 4 and SIPROTEC 4 Compact line that can be triggered remotely by an unauthenticated attacker during interrupted file-transfer operations; the issue is tracked as CVE-2024-52504 and carries a CVSS v4 base score of 8.7, while vendor and government notices make clear that many impacted SKUs have no fix planned and several require firmware updates (V4.78 or later) where available.

Background​

SIPROTEC relays and compact protection devices are widely deployed in electric substations and industrial power systems to provide protection, control, measurement, and automation functions. Because these devices sit at the operational heart of power distribution and critical manufacturing, vulnerabilities that allow service disruption carry consequences beyond IT downtime—affecting grid reliability, safety margins, and compliance with regulatory resilience requirements.
Siemens published security advisory SSA-400089 on August 12, 2025, documenting the vulnerability and listing the affected models and remediation status. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) republished the advisory as ICSA-25-226-12 on August 14, 2025, and reiterated vendor guidance while pointing readers to Siemens ProductCERT for the most current remediation information.
Note: CISA has stated it will not maintain ongoing updates for Siemens product advisories beyond an initial posting and directs operators to Siemens ProductCERT for real‑time status; operators should therefore validate firmware availability directly with Siemens ProductCERT.

---

What the advisory says (summary of the technical facts)​

• Vulnerability: Improper Check for Unusual or Exceptional Conditions (CWE‑754). Affected devices do not properly handle interrupted file-transfer operations; this can be manipulated remotely to induce a denial-of-service state requiring device restart.
• Identifier: CVE‑2024‑52504 (vendor-tracked and publicly cataloged). NVD lists the CNA-submitted metrics and references Siemens’ advisory.
• Severity:
  • CVSS v3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
  • CVSS v4.0: 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
    These vectors indicate network remote exploitability, no privileges required, no user interaction, and a primary impact on availability (DoS).
• Affected devices: a long list of SIPROTEC 4 and SIPROTEC 4 Compact models (including, but not limited to, 6MD61/63/66/665, 7SA6/522, 7SD5/610, 7SJ61–66, 7SS52, 7ST6, 7UM61/62, 7UT63/612/613, 7VE6, 7VK61, 7VU683, and Compact 7RW80/7SD80/7SJ80/7SJ81/7SK80/7SK81). The advisory enumerates exact remediation guidance on a model-by-model basis.
• Remediation status: For many SIPROTEC 4 SKUs Siemens states “currently no fix is planned”; where remediation exists, the vendor directs customers to update to V4.78 or later for specified models (for example, the 7SA6, 7SD5, and 7SD610 require V4.78 or later). For other models, Siemens indicates no fix or that fixes are being prepared. Operators must consult vendor pages for model-specific guidance.
• Attack surface and impact: Because the vulnerability affects the device operation during file transfers, an attacker who can reach the device over the network and trigger an interrupted transfer can force the device offline until it is restarted—impacting relay availability and possibly protection continuity.

---

Why this matters (operational and security context)​

Industrial protection relays are not simple endpoints; they are safety controllers that must meet availability and redundancy requirements. A DoS that forces a restart can:

• Temporarily remove protection and automation logic, increasing the risk of unprotected faults or delayed fault clearing.
• Trigger failover scenarios and create transient conditions that may cascade if redundant protections are misconfigured.
• Require manual intervention and out-of-band maintenance windows that are expensive and operationally disruptive for utilities and industrial operators.

From a threat perspective, the low requirements to trigger the issue (remote, no privileges) and the high availability impact place the vulnerability in the “urgent to mitigate” category—especially for devices that are reachable from less-restricted networks. Even if exploitation is strictly DoS and not code execution, DoS against protection devices in substations can have outsized downstream effects.
CISA notes that there is no known, public exploitation specifically targeting this vulnerability at the time of its advisory posting, but the advisory urges operators to take defensive measures.

---

Technical analysis: root cause, exploitability, and limitations​

1. Root cause summarized​

The vendor-classified weakness is CWE‑754: Improper Check for Unusual or Exceptional Conditions, specifically involving file-transfer operation handling. When a file transfer is interrupted, internal checks fail to gracefully handle the exception, leaving the device in an unrecoverable operational state that requires restart. This is consistent with a logic/exception-handling flaw in the file transfer or file-system interaction layers.

2. Exploitability profile​

• Network reachable: The CVSS vector indicates network-level exploitation (AV:N), so any path that allows network access to the affected transfer functionality is a potential avenue. Default exposure depends on device configuration and whether relevant ports/services are exposed or proxied through other systems.
• No authentication/privileges required: The metrics indicate no required privileges (PR:N) or user interaction (UI:N), lowering the bar for exploitation if the device is reachable on the network.
• Exploit complexity: Scoring (AC:L) suggests low attack complexity. However, operational realities—such as network segmentation or disabled services—can materially affect whether an attacker can reach the vulnerable code path.

3. Limitations and scope​

• The vulnerability is a denial-of-service rather than a remote code-execution or data-exfiltration issue. While DoS is serious in ICS, the lack of integrity/confidentiality impact in these CVSS vectors limits some attacker goals; still, DoS can be weaponized strategically during broader attacks.
• The actual exploit requires the attacker to trigger an interrupted file-transfer state; the exact sequence (timing, transport, protocol) is not public in the vendor advisory. As such, the operational risk remains real but the lack of a public proof-of-concept reduces immediate mass-exploitation risk—although threat actors have historically been able to weaponize DoS vectors quickly once disclosed.

---

Mitigations and vendor guidance (what Siemens and CISA recommend)​

Siemens’ advisory provides product-specific remediation and workarounds. Key points:

• Update where a fixed version exists: For models listed as remediated, apply the vendor-supplied firmware updates (V4.78 or later for certain models such as 7SA6, 7SD5, and 7SD610). Validate updates per Siemens’ documented procedures.
• Where no fix is planned or available: Siemens recommends protecting network access to devices with standard OT security mechanisms—segmentation, firewalls, and controlled remote-access (e.g., VPNs). For critical networks, adhere to Siemens’ operational guidelines for industrial security.
• CISA defensive measures:
  • Minimize network exposure for control system devices; do not make them reachable from the internet.
  • Place control networks and remote devices behind firewalls and isolate them from business networks.
  • When remote access is necessary, use secure remote-access methods with up-to-date VPNs and strong endpoint hygiene.
• Operational resilience: Siemens explicitly recommends ensuring redundant protection schemes (secondary protection) and checks that device restart and failover procedures are validated—an important operational mitigation when immediate patching is not feasible.

---

A practical checklist for operators (prioritized, actionable steps)​

1. Inventory and Identify
   • Create an authoritative list of all SIPROTEC 4 and SIPROTEC 4 Compact devices, including precise model numbers and installed firmware versions. Cross-reference with the vendor advisory’s affected-model list.
2. Patch and Validate
   • For devices where Siemens provides V4.78 or later remediation, plan and schedule firmware updates. Follow vendor validation steps in staging and maintenance windows. Test recovery and redundancy paths after patching.
3. Network Isolation and Access Control
   • Ensure devices are not directly reachable from the internet. Block unnecessary inbound access at the enterprise edge.
   • Implement strict ACLs and network segmentation between business IT and OT zones; restrict access to only trusted management hosts.
4. Harden Remote Access
   • If remote access is required, use VPNs or hardened jump hosts that are monitored and patched. Limit VPN access to specific aggregator systems and enforce MFA for administrators where practical.
5. Monitoring and Detection
   • Monitor for unusual file-transfer activity, repeated transfer failures, and unexplained device restarts. Integrate OT telemetry into SIEM or NOCs while maintaining safety constraints.
   • Add alerts for frequent aborted transfers to critical protection relays. (This is a likely tell for exploitation attempts.)
6. Operational Resilience
   • Verify that redundant protection channels function as intended and that failovers do not create single points of failure. Document and rehearse manual recovery steps in case a device must be restarted.
7. Vendor Liaison and Reporting
   • Maintain a line with Siemens ProductCERT for updates to SSA-400089 and sign up for product-specific notifications. If anomalous activity is observed, report per sector procedures and to government CERTs as required. Note CISA’s recommendation to consult Siemens ProductCERT for the most current information.

---

Specific guidance for Windows‑centric OT environments (WindowsForum audience)​

Many substation automation and protection management tasks are performed from Windows-based engineering stations and servers. The interface between Windows systems and relays is an important attack surface.

• Harden engineering workstations:
  • Keep engineering workstations patched and segmented from general corporate networks.
  • Use purpose-dedicated jump boxes or bastion hosts for relay management; avoid using general-purpose laptops with internet access to manage relays.
• Principle of least privilege:
  • Limit accounts that can trigger file transfers to relays and apply strict change-control for upload/download operations.
• Centralize logging:
  • Forward engineering-station logs and relay-management tool logs to a secure collector for correlation. Alert on repeated failed transfers or unusual management sessions.
• Credential hygiene:
  • Avoid storing credentials in plaintext; leverage credential stores and MFA for remote management where supported.

These operational hardening steps reduce the chance that a Windows-hosted task or an administrator endpoint becomes the vector for remotely triggering the vulnerable behavior.

---

Risk assessment and longer-term considerations​

• Short term: For operators with vulnerable models that have no planned fix, the risk remains persistent. Compensating controls (segmentation, strict access control, monitoring, and validated redundant protections) are essential to buy time and maintain safety.
• Medium term: Consider lifecycle strategy—devices that are no longer receiving security fixes or for which no fix is planned should be evaluated for replacement or architectural compensation (network-level gateways, application-layer proxies, or controlled device access appliances). The long tail of OT equipment with extended lifecycles means some remediation choices can be expensive but necessary.
• Strategic: This advisory reinforces a fundamental truth of OT security—patching alone is not sufficient. Designing networks and protection architectures with the assumption that field devices will occasionally fail under attack or buggy conditions is crucial. Resilient designs, validated failovers, and a preference for secure default configurations are non‑negotiable.

---

Critical appraisal: strengths and gaps in the vendor/government response​

Strengths:

• Siemens published a detailed model-by-model advisory (SSA‑400089) with CVE assignment and explicit remediation notes where available. This level of granularity helps operators prioritize actions on a per‑model basis.
• CISA republished the advisory and reiterated standard ICS defensive practices, helping broaden awareness among U.S. operators.

Risks and gaps:

• Patch availability gap: A significant number of affected models are listed as “currently no fix is planned” or “no fix available,” leaving operators with prolonged exposure and an operationally difficult decision space (accept risk vs. costly replacement).
• Information latency and responsibility: Since CISA no longer maintains ongoing updates for Siemens advisories beyond an initial posting, the onus is on asset owners and vendors (Siemens ProductCERT) to communicate fixes; operators without direct vendor monitoring could miss critical updates.
• Limited public exploit detail: The advisory does not publish PoC exploitation detail—reasonable from a responsible disclosure perspective—but this also means operators must make mitigation decisions with limited operational telemetry on how easily the vulnerability might be triggered in their environments.

All of the above underscores a practical operational risk: organizations must assume that lack of a public PoC does not equal low risk, especially in a landscape where DoS vectors can be weaponized quickly by opportunistic actors.

---

What to communicate to executives and field teams​

• Executive summary bullets (for quick distribution):
  • A high-severity remote DoS vulnerability (CVE‑2024‑52504, CVSS v4 8.7) affects many SIPROTEC 4 devices; some models are not receiving fixes.
  • Immediate priorities: inventory, isolate, and apply firmware updates where available.
  • If patches are unavailable, the organization must rely on layered compensating controls (segmentation, hardened remote access, validated redundancy) to maintain grid resilience and safety.
• Field/operations communication:
  • Do not perform unscheduled firmware upgrades on live protection devices without testing and coordination (Siemens emphasizes validation and supervision of updates).
  • If you observe unexplained device restarts or repeated failed file transfers, escalate to NOC/SOC immediately and restrict network access to the affected relay until root cause and remediation are in place.

---

Conclusion​

CVE‑2024‑52504 (SIPROTEC 4 / SIPROTEC 4 Compact) is a high-severity, remotely exploitable denial-of-service vulnerability in widely deployed protection relays. The combination of network-level exploitability, low attack complexity, and limited remediation availability for many SKUs makes it a pressing operational security issue. Operators should prioritize authoritative inventory checks, apply Siemens-supplied updates where available, and implement layered compensating controls—including network isolation, restricted management access, and rigorous monitoring—to preserve protection continuity and avoid operational disruption. Consult Siemens ProductCERT for product-specific updates and follow CISA’s recommended defensive practices for ICS/OT environments.

---

Appendix — quick reference (one‑page)

• CVE: CVE‑2024‑52504.
• CVSS: v4 = 8.7, v3.1 = 7.5.
• Affected lines: SIPROTEC 4 & SIPROTEC 4 Compact (detailed list in SSA‑400089).
• Immediate operator actions: 1) Inventory devices; 2) Apply V4.78 updates where available; 3) Enforce segmentation and firewalling; 4) Harden remote access and monitor aborted transfers; 5) Validate redundancy and failover.

(End of article)

---

Source: CISA Siemens SIPROTEC 4 and SIPROTEC 4 Compact | CISA