CVE-2025-40570 is a resource exhaustion vulnerability affecting multiple Siemens SIPROTEC 5 relay devices, specifically models with CP150 and CP300 communication processors, across various versions prior to V10.0. The vulnerability arises because these devices do not properly limit the bandwidth of incoming network packets over their local USB port. An attacker with physical access to the device can exploit this by sending specially crafted high-bandwidth packets through the USB interface. This causes the device to consume excessive memory resources, leading to exhaustion and a denial of service (DoS) condition where the device stops responding to any network traffic via the local USB port. After the attack, the device automatically resets itself, but the disruption can impact operational continuity. Importantly, the protection functions of the devices remain unaffected, meaning the core protective relay functions continue to operate despite the DoS on the USB network interface. The vulnerability is classified under CWE-770, which pertains to allocation of resources without limits or throttling, and has a CVSS v3.1 base score of 2.4 (low severity) due to its requirement for physical access, lack of impact on confidentiality or integrity, and limited scope affecting only the USB network interface. No known exploits are currently reported in the wild, and Siemens has not yet published patches for this issue as of the provided data. The vulnerability affects a broad range of SIPROTEC 5 models widely used in electrical grid protection and automation systems.

For European organizations, especially those operating critical infrastructure such as electrical utilities and grid operators, this vulnerability poses a risk of localized denial of service on SIPROTEC 5 devices. Although the core protection functions remain intact, disruption of network communication via the USB port can hinder device management, monitoring, and diagnostics, potentially delaying response times during incidents. The requirement for physical access limits the attack vector primarily to insider threats or attackers with physical proximity to the devices, such as maintenance personnel or intruders. Given the widespread deployment of Siemens SIPROTEC 5 devices across European power grids, any disruption could affect operational efficiency and situational awareness. However, the low severity and automatic device reset mitigate the risk of prolonged outages. Still, in high-security environments or where USB network interfaces are critical for operational workflows, this vulnerability could be exploited to cause nuisance DoS or complicate incident response. The lack of impact on confidentiality and integrity reduces the risk of data compromise or control manipulation, but availability impacts remain a concern in safety-critical systems.

1. Restrict physical access to SIPROTEC 5 devices, especially their USB ports, through enhanced physical security controls such as locked cabinets, surveillance, and access logging. 2. Implement strict personnel vetting and monitoring to reduce insider threat risks. 3. Disable or restrict USB network interfaces if not required for operational purposes to eliminate the attack surface. 4. Monitor device logs and network traffic for unusual high-bandwidth activity on USB interfaces that could indicate exploitation attempts. 5. Coordinate with Siemens for timely firmware updates or patches once available and plan for scheduled device maintenance to apply fixes. 6. Employ network segmentation and isolation strategies to limit exposure of critical devices to unauthorized access. 7. Develop incident response procedures specifically addressing DoS conditions on SIPROTEC devices to ensure rapid recovery and continuity. 8. Consider deploying additional redundant protection relays or failover mechanisms to maintain grid stability in case of device resets or outages.