CISA has published an ICS advisory warning that Siemens SIPROTEC 5 devices, when accessed via the DIGSI 5 engineering protocol, are affected by an unrestricted file upload vulnerability tracked as CVE-2025-40808. The flaw carries a CVSS v3 score of 6.1 and affects all current firmware versions across a broad range of device models spanning CP050, CP100, CP150, CP200, and CP300 hardware platforms.

Vulnerability Details

The affected application fails to restrict the types of files that authenticated users may upload over the DIGSI 5 protocol. An attacker with valid credentials could exploit this to push malicious configuration files to a device, resulting in a permanent denial of service condition. The advisory also notes the potential for the issue to lead to code execution, though the primary confirmed impact is denial of service.

The affected product list is extensive, covering more than 60 distinct model and hardware-platform combinations deployed in critical infrastructure sectors including energy, critical manufacturing, transportation, healthcare, financial services, and government facilities worldwide.

Remediation and Mitigations

Siemens has issued firmware updates for a portion of the affected fleet. Specific guidance by hardware platform is as follows:

  • CP050 and CP150 models: Upgrade to version 9.90 or later.
  • CP300 models (7ST85 and 7ST86): Upgrade to version 10.00 or later.
  • Remaining CP300 models: Upgrade to version 9.90 or later.

The updated firmware introduces an allow-list mechanism that restricts which file types can be uploaded, directly addressing the root cause of the vulnerability. For devices where a fix is not yet available, Siemens recommends the following interim countermeasures:

  • Apply password protection to all DIGSI 5 connections.
  • Provision DIGSI access using certificates signed by a customer-controlled PKI, rather than relying on default credentials or certificates.

Broader Context

SIPROTEC 5 devices serve as protective relays in power grids and industrial environments, making availability and integrity essential. A successful denial of service against these devices could disrupt protection functions in substations or other critical infrastructure nodes. Security teams operating these devices should prioritize patching or, where patches are not yet available, enforce strict network segmentation and authentication controls around DIGSI 5 communication paths.