CVE-2025-40570: CWE-770: Allocation of Resources Without Limits or Throttling in Siemens SIPROTEC 5 6MD84 (CP300)
A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V10.0), SIPROTEC 5 6MD85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 6MD86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 6MD89 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 6MU85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7KE85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SA82 (CP150) (All versions < V10.0), SIPROTEC 5 7SA86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SA87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SD82 (CP150) (All versions < V10.0), SIPROTEC 5 7SD86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SD87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SJ81 (CP150) (All versions < V10.0), SIPROTEC 5 7SJ82 (CP150) (All versions < V10.0), SIPROTEC 5 7SJ85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SJ86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SK82 (CP150) (All versions < V10.0), SIPROTEC 5 7SK85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SL82 (CP150) (All versions < V10.0), SIPROTEC 5 7SL86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SL87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SS85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7ST85 (CP300) (All versions < V10.0), SIPROTEC 5 7ST86 (CP300) (All versions < V10.0), SIPROTEC 5 7SX82 (CP150) (All versions < V10.0), SIPROTEC 5 7SX85 (CP300) (All versions < V10.0), SIPROTEC 5 7SY82 (CP150) (All versions < V10.0), SIPROTEC 5 7UM85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7UT82 (CP150) (All versions < V10.0), SIPROTEC 5 7UT85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7UT86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7UT87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7VE85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7VK87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7VU85 (CP300) (All versions < V10.0), SIPROTEC 5 Compact 7SX800 (CP050) (All versions < V10.0). Affected devices do not properly limit the bandwidth for incoming network packets over their local USB port. This could allow an attacker with physical access to send specially crafted packets with high bandwidth to the affected devices thus forcing them to exhaust their memory and stop responding to any network traffic via the local USB port. Affected devices reset themselves automatically after a successful attack. The protection function is not affected of this vulnerability.
AI Analysis
Technical Summary
CVE-2025-40570 is a resource exhaustion vulnerability affecting multiple Siemens SIPROTEC 5 relay devices, specifically models with CP150 and CP300 communication processors, across various versions prior to V10.0. The vulnerability arises because these devices do not properly limit the bandwidth of incoming network packets over their local USB port. An attacker with physical access to the device can exploit this by sending specially crafted high-bandwidth packets through the USB interface. This causes the device to consume excessive memory resources, leading to exhaustion and a denial of service (DoS) condition where the device stops responding to any network traffic via the local USB port. After the attack, the device automatically resets itself, but the disruption can impact operational continuity. Importantly, the protection functions of the devices remain unaffected, meaning the core protective relay functions continue to operate despite the DoS on the USB network interface. The vulnerability is classified under CWE-770, which pertains to allocation of resources without limits or throttling, and has a CVSS v3.1 base score of 2.4 (low severity) due to its requirement for physical access, lack of impact on confidentiality or integrity, and limited scope affecting only the USB network interface. No known exploits are currently reported in the wild, and Siemens has not yet published patches for this issue as of the provided data. The vulnerability affects a broad range of SIPROTEC 5 models widely used in electrical grid protection and automation systems.
Potential Impact
For European organizations, especially those operating critical infrastructure such as electrical utilities and grid operators, this vulnerability poses a risk of localized denial of service on SIPROTEC 5 devices. Although the core protection functions remain intact, disruption of network communication via the USB port can hinder device management, monitoring, and diagnostics, potentially delaying response times during incidents. The requirement for physical access limits the attack vector primarily to insider threats or attackers with physical proximity to the devices, such as maintenance personnel or intruders. Given the widespread deployment of Siemens SIPROTEC 5 devices across European power grids, any disruption could affect operational efficiency and situational awareness. However, the low severity and automatic device reset mitigate the risk of prolonged outages. Still, in high-security environments or where USB network interfaces are critical for operational workflows, this vulnerability could be exploited to cause nuisance DoS or complicate incident response. The lack of impact on confidentiality and integrity reduces the risk of data compromise or control manipulation, but availability impacts remain a concern in safety-critical systems.
Mitigation Recommendations
1. Restrict physical access to SIPROTEC 5 devices, especially their USB ports, through enhanced physical security controls such as locked cabinets, surveillance, and access logging. 2. Implement strict personnel vetting and monitoring to reduce insider threat risks. 3. Disable or restrict USB network interfaces if not required for operational purposes to eliminate the attack surface. 4. Monitor device logs and network traffic for unusual high-bandwidth activity on USB interfaces that could indicate exploitation attempts. 5. Coordinate with Siemens for timely firmware updates or patches once available and plan for scheduled device maintenance to apply fixes. 6. Employ network segmentation and isolation strategies to limit exposure of critical devices to unauthorized access. 7. Develop incident response procedures specifically addressing DoS conditions on SIPROTEC devices to ensure rapid recovery and continuity. 8. Consider deploying additional redundant protection relays or failover mechanisms to maintain grid stability in case of device resets or outages.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Poland, Netherlands, Belgium, Sweden, Norway
CVE-2025-40570: CWE-770: Allocation of Resources Without Limits or Throttling in Siemens SIPROTEC 5 6MD84 (CP300)
Description
A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V10.0), SIPROTEC 5 6MD85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 6MD86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 6MD89 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 6MU85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7KE85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SA82 (CP150) (All versions < V10.0), SIPROTEC 5 7SA86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SA87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SD82 (CP150) (All versions < V10.0), SIPROTEC 5 7SD86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SD87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SJ81 (CP150) (All versions < V10.0), SIPROTEC 5 7SJ82 (CP150) (All versions < V10.0), SIPROTEC 5 7SJ85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SJ86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SK82 (CP150) (All versions < V10.0), SIPROTEC 5 7SK85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SL82 (CP150) (All versions < V10.0), SIPROTEC 5 7SL86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SL87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SS85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7ST85 (CP300) (All versions < V10.0), SIPROTEC 5 7ST86 (CP300) (All versions < V10.0), SIPROTEC 5 7SX82 (CP150) (All versions < V10.0), SIPROTEC 5 7SX85 (CP300) (All versions < V10.0), SIPROTEC 5 7SY82 (CP150) (All versions < V10.0), SIPROTEC 5 7UM85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7UT82 (CP150) (All versions < V10.0), SIPROTEC 5 7UT85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7UT86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7UT87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7VE85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7VK87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7VU85 (CP300) (All versions < V10.0), SIPROTEC 5 Compact 7SX800 (CP050) (All versions < V10.0). Affected devices do not properly limit the bandwidth for incoming network packets over their local USB port. This could allow an attacker with physical access to send specially crafted packets with high bandwidth to the affected devices thus forcing them to exhaust their memory and stop responding to any network traffic via the local USB port. Affected devices reset themselves automatically after a successful attack. The protection function is not affected of this vulnerability.
AI-Powered Analysis
Technical Analysis
CVE-2025-40570 is a resource exhaustion vulnerability affecting multiple Siemens SIPROTEC 5 relay devices, specifically models with CP150 and CP300 communication processors, across various versions prior to V10.0. The vulnerability arises because these devices do not properly limit the bandwidth of incoming network packets over their local USB port. An attacker with physical access to the device can exploit this by sending specially crafted high-bandwidth packets through the USB interface. This causes the device to consume excessive memory resources, leading to exhaustion and a denial of service (DoS) condition where the device stops responding to any network traffic via the local USB port. After the attack, the device automatically resets itself, but the disruption can impact operational continuity. Importantly, the protection functions of the devices remain unaffected, meaning the core protective relay functions continue to operate despite the DoS on the USB network interface. The vulnerability is classified under CWE-770, which pertains to allocation of resources without limits or throttling, and has a CVSS v3.1 base score of 2.4 (low severity) due to its requirement for physical access, lack of impact on confidentiality or integrity, and limited scope affecting only the USB network interface. No known exploits are currently reported in the wild, and Siemens has not yet published patches for this issue as of the provided data. The vulnerability affects a broad range of SIPROTEC 5 models widely used in electrical grid protection and automation systems.
Potential Impact
For European organizations, especially those operating critical infrastructure such as electrical utilities and grid operators, this vulnerability poses a risk of localized denial of service on SIPROTEC 5 devices. Although the core protection functions remain intact, disruption of network communication via the USB port can hinder device management, monitoring, and diagnostics, potentially delaying response times during incidents. The requirement for physical access limits the attack vector primarily to insider threats or attackers with physical proximity to the devices, such as maintenance personnel or intruders. Given the widespread deployment of Siemens SIPROTEC 5 devices across European power grids, any disruption could affect operational efficiency and situational awareness. However, the low severity and automatic device reset mitigate the risk of prolonged outages. Still, in high-security environments or where USB network interfaces are critical for operational workflows, this vulnerability could be exploited to cause nuisance DoS or complicate incident response. The lack of impact on confidentiality and integrity reduces the risk of data compromise or control manipulation, but availability impacts remain a concern in safety-critical systems.
Mitigation Recommendations
1. Restrict physical access to SIPROTEC 5 devices, especially their USB ports, through enhanced physical security controls such as locked cabinets, surveillance, and access logging. 2. Implement strict personnel vetting and monitoring to reduce insider threat risks. 3. Disable or restrict USB network interfaces if not required for operational purposes to eliminate the attack surface. 4. Monitor device logs and network traffic for unusual high-bandwidth activity on USB interfaces that could indicate exploitation attempts. 5. Coordinate with Siemens for timely firmware updates or patches once available and plan for scheduled device maintenance to apply fixes. 6. Employ network segmentation and isolation strategies to limit exposure of critical devices to unauthorized access. 7. Develop incident response procedures specifically addressing DoS conditions on SIPROTEC devices to ensure rapid recovery and continuity. 8. Consider deploying additional redundant protection relays or failover mechanisms to maintain grid stability in case of device resets or outages.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- siemens
- Date Reserved
- 2025-04-16T08:20:17.031Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 689b2661ad5a09ad003132d0
Added to database: 8/12/2025, 11:32:49 AM
Last enriched: 8/12/2025, 11:51:57 AM
Last updated: 8/19/2025, 12:34:30 AM
Views: 8
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.