CVE-2025-40808: SIPROTEC 5 File Upload Vulnerability in Siemens Protective Relays
Siemens SIPROTEC 5 protective relays contain a file upload vulnerability affecting dozens of device models across multiple control processor variants. An authenticated attacker can upload malicious configuration files through the DIGSI 5 protocol, potentially disrupting power system operations or executing unauthorized code. The vulnerability requires valid credentials but represents a meaningful risk in environments where multiple operators or contractors have access to device management interfaces.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
- Weaknesses (CWE)
- CWE-434
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions), SIPROTEC 5 6MD86 (CP200) (All versions), SIPROTEC 5 6MD86 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) (All versions), SIPROTEC 5 6MU85 (CP300) (All versions), SIPROTEC 5 7KE85 (CP200) (All versions), SIPROTEC 5 7KE85 (CP300) (All versions), SIPROTEC 5 7SA82 (CP100) (All versions), SIPROTEC 5 7SA82 (CP150) (All versions), SIPROTEC 5 7SA86 (CP200) (All versions), SIPROTEC 5 7SA86 (CP300) (All versions), SIPROTEC 5 7SA87 (CP200) (All versions), SIPROTEC 5 7SA87 (CP300) (All versions), SIPROTEC 5 7SD82 (CP100) (All versions), SIPROTEC 5 7SD82 (CP150) (All versions), SIPROTEC 5 7SD86 (CP200) (All versions), SIPROTEC 5 7SD86 (CP300) (All versions), SIPROTEC 5 7SD87 (CP200) (All versions), SIPROTEC 5 7SD87 (CP300) (All versions), SIPROTEC 5 7SJ81 (CP100) (All versions), SIPROTEC 5 7SJ81 (CP150) (All versions), SIPROTEC 5 7SJ82 (CP100) (All versions), SIPROTEC 5 7SJ82 (CP150) (All versions), SIPROTEC 5 7SJ85 (CP200) (All versions), SIPROTEC 5 7SJ85 (CP300) (All versions), SIPROTEC 5 7SJ86 (CP200) (All versions), SIPROTEC 5 7SJ86 (CP300) (All versions), SIPROTEC 5 7SK82 (CP100) (All versions), SIPROTEC 5 7SK82 (CP150) (All versions), SIPROTEC 5 7SK85 (CP200) (All versions), SIPROTEC 5 7SK85 (CP300) (All versions), SIPROTEC 5 7SL82 (CP100) (All versions), SIPROTEC 5 7SL82 (CP150) (All versions), SIPROTEC 5 7SL86 (CP200) (All versions), SIPROTEC 5 7SL86 (CP300) (All versions), SIPROTEC 5 7SL87 (CP200) (All versions), SIPROTEC 5 7SL87 (CP300) (All versions), SIPROTEC 5 7SS85 (CP200) (All versions), SIPROTEC 5 7SS85 (CP300) (All versions), SIPROTEC 5 7ST85 (CP200) (All versions), SIPROTEC 5 7ST85 (CP300) (All versions), SIPROTEC 5 7ST86 (CP300) (All versions), SIPROTEC 5 7SX82 (CP150) (All versions), SIPROTEC 5 7SX85 (CP300) (All versions), SIPROTEC 5 7SY82 (CP150) (All versions), SIPROTEC 5 7UM85 (CP300) (All versions), SIPROTEC 5 7UT82 (CP100) (All versions), SIPROTEC 5 7UT82 (CP150) (All versions), SIPROTEC 5 7UT85 (CP200) (All versions), SIPROTEC 5 7UT85 (CP300) (All versions), SIPROTEC 5 7UT86 (CP200) (All versions), SIPROTEC 5 7UT86 (CP300) (All versions), SIPROTEC 5 7UT87 (CP200) (All versions), SIPROTEC 5 7UT87 (CP300) (All versions), SIPROTEC 5 7VE85 (CP300) (All versions), SIPROTEC 5 7VK87 (CP200) (All versions), SIPROTEC 5 7VK87 (CP300) (All versions), SIPROTEC 5 7VU85 (CP300) (All versions), SIPROTEC 5 Compact 7SX800 (CP050) (All versions). The affected application allows authenticated users to upload arbitrary files using DIGSI 5 protocol. This could allow an attacker to upload malicious configuration files, that could cause denial of service condition and potentially lead to code execution.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-40808 is a CWE-434 unrestricted file upload vulnerability in SIPROTEC 5 relays. The DIGSI 5 protocol, used for device configuration and management, fails to adequately validate uploaded files. An authenticated user can circumvent file type or content restrictions, uploading configuration payloads that the device will process with operational privileges. This affects all versions of 50+ device variants spanning the 6MD and 7-series relay families (protection, metering, and multi-function models) across CP050 through CP300 control processor generations. The vulnerability carries a CVSS 3.1 score of 6.1 (Medium) reflecting the authentication requirement and local/adjacent network access constraint, offset by high impact on integrity and availability.
Business impact
Power utilities and industrial facilities relying on SIPROTEC 5 relays for grid protection face operational continuity risk. An insider threat or compromised contractor account could trigger relay malfunction or shutdown, affecting protection logic during faults and potentially causing cascading outages. Malicious configuration could disable alarming, alter trip setpoints, or corrupt firmware checksums. While the CVSS score is moderate due to authentication, the criticality of protective relay function in electrical infrastructure elevates business risk. Extended downtime for relay reconfiguration or replacement represents significant cost and safety exposure.
Affected systems
All versions of 50+ SIPROTEC 5 relay models are affected, including protection relays (7SA, 7SD, 7SJ, 7SK, 7SL, 7ST, 7SX, 7SY series), metering relays (6MD, 6MU, 7UM), and differential/multi-function relays (7SS, 7VE, 7VK, 7VU, 7UT, 7KE). Affected control processors range from CP050 (compact models) through CP300. Every firmware version of these device-processor combinations is vulnerable; no patched versions are available from the vendor at this time per source data. Organizations should inventory SIPROTEC 5 deployments and verify exact device model and processor type via DIGSI 5 or physical nameplate inspection.
Exploitability
Exploitation requires valid DIGSI 5 protocol credentials, limiting attack surface to personnel with device access rights—system administrators, protection engineers, authorized contractors, or potentially compromised operator accounts. No network-based exploitation is possible; access is restricted to the adjacent local area network or directly connected engineering workstation. The attack itself is low-friction: uploading a crafted configuration file through the standard management interface requires no special tools beyond DIGSI 5 client software and valid authentication. The vulnerability is not known to be actively exploited in the wild or listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Siemens has not issued firmware patches for this vulnerability. Mitigation strategies focus on access control and network segmentation. Restrict DIGSI 5 protocol access to trusted engineering networks, using firewall rules to prevent unauthorized access from general IT infrastructure. Limit DIGSI 5 client installation and usage to designated protection engineers and system administrators. Implement multi-factor authentication or hardware token-based access controls where available in your environment. Monitor DIGSI 5 traffic for unusual configuration uploads or failed authentication attempts. Monitor Siemens security advisories for patches; affected devices may require firmware updates when available from the vendor.
Patch guidance
As of the vulnerability publication date (June 9, 2026), Siemens has not released patches. Consult Siemens ProductCERT advisories and the SIPROTEC 5 support portal for firmware release notes and scheduled patching timelines. Patching will likely require staging in a test environment given the criticality of protective relays in production. Coordinate with your Siemens field service team to validate patch applicability to your specific device variants and firmware versions before deployment to operational devices.
Detection guidance
Monitor for suspicious DIGSI 5 protocol activity: unusual file uploads, configuration changes by unauthorized accounts, or uploads from unexpected network locations. Review device configuration audit logs for unexpected changes to protection settings, trip setpoints, or firmware checksums. Network intrusion detection signatures for DIGSI 5 upload commands may be developed by your IDS vendor or security team. Collect baseline configurations of all SIPROTEC 5 relays and periodically verify integrity against known-good copies. Alert on configuration file modifications that deviate from maintenance windows.
Why prioritize this
Although the CVSS score is 6.1 (Medium), prioritize this vulnerability in critical infrastructure and power generation environments where relay malfunction directly threatens public safety and economic continuity. The broad scope (50+ device models, all versions) and the insider-threat or supply-chain compromise vectors warrant immediate access control hardening and inventory actions. Organizations in less critical industrial segments may defer intensive patching efforts until vendor patches are available, but should implement network-based controls immediately.
Risk score, explained
The CVSS 3.1 vector (AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) reflects: adjacent network access only (AV:A), no attack complexity (AC:L), high privilege requirement (PR:H) limiting the threat actor pool, no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), but high integrity and availability impact (I:H/A:H). The score of 6.1 sits at the boundary of Medium severity because the authentication requirement significantly constrains exploitability, yet the integrity and availability impact on a safety-critical system justifies heightened organizational concern beyond the numerical score.
Frequently asked questions
Do I need to patch immediately if I don't have public-facing DIGSI 5 access?
No public patches are currently available. Focus on implementing network segmentation to restrict DIGSI 5 traffic to an isolated engineering network, and enforce access controls on that network. If your relays are in a truly isolated environment with only authorized, trusted personnel, risk is lower—but monitor for patches and plan to apply them when available.
Can this vulnerability be exploited remotely over the internet?
No. The vulnerability requires adjacent network access and valid DIGSI 5 credentials. It cannot be exploited over the public internet. Risk is confined to insiders, contractors with device access, or attackers who have compromised an authorized user account on the local engineering network.
What configuration files should I be concerned about?
Any file uploaded via DIGSI 5 that alters device protection logic, setpoints, trip thresholds, or firmware checksums. The vulnerability description indicates malicious configuration files could cause denial of service or code execution. Work with your Siemens engineer to understand the legitimate configuration file formats and establish a change management process that validates all uploads.
Are there any public exploits available for CVE-2025-40808?
No public exploit code or weaponized proof-of-concept has been disclosed. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed active exploitation in the wild to date.
This analysis is based on publicly available vulnerability data as of June 2026. Patch status, exploit information, and vendor advisory timelines may change. Organizations should verify affected device models and firmware versions against Siemens official documentation and ProductCERT advisories. This explainer does not constitute security advice; consult with Siemens support and your internal security team before implementing changes to critical infrastructure. No exploit code or detailed attack methodology is provided in this document. Use of security controls should comply with all applicable regulatory and safety standards governing your electrical infrastructure. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy
- CVE-2026-10807MEDIUMUnrestricted File Upload in mjperpinosa stumasy Profile Image Handler
- CVE-2026-11333MEDIUMUnrestricted File Upload in CollegeManagementSystem Dashboard
- CVE-2026-11621MEDIUMDcat-Admin Unrestricted File Upload Vulnerability (CVSS 4.7)
- CVE-2026-33582MEDIUMApache Answer TIFF Image DoS Vulnerability (Medium CVSS 6.5)
- CVE-2026-34031MEDIUMApache Answer Profile Image URL Validation Vulnerability