CVE-2024-53649 is a vulnerability identified in Siemens SIPROTEC 5 series devices, specifically models including 6MD84, 6MD85, 6MD86, 6MD89, 6MU85, 7KE85, 7SA82, 7SA86, 7SA87, 7SD82, 7SD86, 7SD87, 7SJ81, 7SJ82, 7SJ85, 7SJ86, 7SK82, 7SK85, 7SL82, 7SL86, 7SL87, 7SS85, 7ST85, 7ST86, 7SX82, 7SX85, 7SY82, 7UM85, 7UT82, 7UT85, 7UT86, 7UT87, 7VE85, 7VK87, 7VU85, and Compact 7SX800, across various control processor versions (CP100, CP150, CP300, CP050) and firmware versions prior to V9.80 or V8.90 depending on the model. The vulnerability is categorized under CWE-552, which involves files or directories accessible to external parties. The root cause is that the embedded webserver in these devices does not properly restrict the filesystem paths accessible to authenticated users. As a result, an attacker with valid credentials can remotely read arbitrary files on the device, potentially exposing sensitive configuration data, credentials, or operational information. The CVSS v3.1 base score is 6.5 (medium severity), with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, requiring privileges but no user interaction, with high confidentiality impact but no integrity or availability impact. No public exploits or active exploitation have been reported to date. Siemens has not yet published patches but awareness and identification of affected versions are critical. The vulnerability affects critical infrastructure devices used for power system protection and automation, which are integral to grid stability and security.

The primary impact of CVE-2024-53649 is the unauthorized disclosure of sensitive information stored on Siemens SIPROTEC 5 devices. This can include configuration files, cryptographic keys, user credentials, and operational logs. For European organizations, especially utilities and grid operators, this exposure could facilitate further attacks such as unauthorized control, sabotage, or espionage. Confidentiality breaches in critical infrastructure components can undermine trust, cause regulatory penalties under GDPR if personal or operational data is involved, and potentially lead to cascading failures if attackers leverage the information to disrupt operations. Although the vulnerability does not directly affect system integrity or availability, the information gained can be used to plan more damaging attacks. The requirement for authentication reduces the attack surface but insider threats or compromised credentials increase risk. Given the widespread deployment of Siemens SIPROTEC devices in European power grids, the potential impact on national energy security and critical infrastructure resilience is significant.

1. Siemens should be contacted for official patches or firmware updates addressing this vulnerability; organizations must prioritize applying these updates once available. 2. Until patches are deployed, restrict network access to SIPROTEC device management interfaces using network segmentation, firewalls, and VPNs to limit exposure to trusted personnel only. 3. Enforce strong authentication mechanisms and regularly rotate credentials to reduce the risk of credential compromise. 4. Monitor access logs on SIPROTEC devices for unusual or unauthorized file access attempts. 5. Implement strict role-based access controls (RBAC) to limit user privileges on the devices. 6. Conduct regular security audits and vulnerability assessments on critical infrastructure devices. 7. Educate operational technology (OT) personnel about the risks of credential sharing and phishing attacks that could lead to authentication compromise. 8. Consider deploying intrusion detection systems (IDS) tailored for OT environments to detect anomalous activities related to file access on these devices.