SSA-139483

Siemens Security Advisory by Siemens ProductCERT

SSA-139483: File Upload Vulnerability in SIPROTEC 5 Using DIGSI5 Protocol

Publication Date:	2026-06-09
Last Update:	2026-06-09
Current Version:	V1.0
CVSS v3.1 Base Score:	6.1
CVSS v4.0 Base Score:	6.9

SUMMARY

SIPROTEC 5 is vulnerable to arbitrary file uploads by authenticated users using the DIGSI 5 protocol. This could allow an attacker to upload malicious configuration files, potentially causing a permanent denial of service condition.

As a mitigation measure, users of the CP050 and CP150 device models are advised to upgrade to version 9.90 or later. For CP300 device models, devices 7ST85 and 7ST86 are advised to upgrade to version 10.00 or later, while the remaining models should upgrade to version 9.90 or later. These versions introduce an allow-list feature that restricts arbitrary file uploads and reduces the risk associated with this vulnerability.

Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.

KNOWN AFFECTED PRODUCTS

Un-/Collapse All

Affected Product and Versions	Remediation
SIPROTEC 5 - CP100 Devices	Show more details
SIPROTEC 5 7SA82 (CP100) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SD82 (CP100) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SJ81 (CP100) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SJ82 (CP100) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SK82 (CP100) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SL82 (CP100) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7UT82 (CP100) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 - CP150 Devices	Show more details
SIPROTEC 5 7SA82 (CP150) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SD82 (CP150) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SJ81 (CP150) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SJ82 (CP150) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SK82 (CP150) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SL82 (CP150) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SX82 (CP150) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SY82 (CP150) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7UT82 (CP150) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 - CP200 Devices	Show more details
SIPROTEC 5 6MD85 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 6MD86 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7KE85 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SA86 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SA87 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SD86 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SD87 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SJ85 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SJ86 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SK85 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SL86 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SL87 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7SS85 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7ST85 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7UT85 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7UT86 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7UT87 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 7VK87 (CP200) All versions affected by CVE-2025-40808	Currently no fix is planned See further recommendations from section Mitigations
SIPROTEC 5 - CP300 Devices	Show more details
SIPROTEC 5 6MD84 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 6MD85 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 6MD86 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 6MD89 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 6MU85 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7KE85 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SA86 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SA87 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SD86 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SD87 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SJ85 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SJ86 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SK85 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SL86 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SL87 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SS85 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7ST85 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V10.00 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7ST86 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V10.00 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7SX85 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7UM85 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7UT85 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7UT86 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7UT87 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7VE85 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7VK87 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 7VU85 (CP300) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations
SIPROTEC 5 Compact 7SX800 (CP050) All versions affected by CVE-2025-40808	Currently no fix is available Users are advised to upgrade to V9.90 or later, which introduces an allow-list feature that restricts arbitrary file uploads See further recommendations from section Mitigations

MITIGATIONS

Siemens has identified the following specific mitigations that customers can apply to reduce the risk:

For the available devices [CP050, CP100, CP150 and CP300] , activate role based access control (RBAC) in the device (supported in SIPROTEC 5 firmware versions V7.80 and higher)
Apply password protection to all DIGSI connections to ensure secure communication
For DIGSI access provision your own certificates signed by your customer PKI as described in https://support.industry.siemens.com/cs/document/109768375

Product-specific remediations or mitigations can be found in the section Known Affected Products.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.

Recommended security guidelines can be found at: https://www.siemens.com/gridsecurity

PRODUCT DESCRIPTION

SIPROTEC 5 and SIPROTEC 5 Compact devices provide a range of integrated protection, control, measurement, and automation functions for electrical substations and other fields of application.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2025-40808

The affected application allows authenticated users to upload arbitrary files using DIGSI 5 protocol. This could allow an attacker to upload malicious configuration files, that could cause denial of service condition and potentially lead to code execution.

CVSS v3.1 Base Score	6.1
CVSS v3.1 Vector	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVSS v4.0 Base Score	6.9
CVSS v4.0 Vector	CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
CWE	CWE-434: Unrestricted Upload of File with Dangerous Type

ACKNOWLEDGMENTS

Siemens thanks the following party for its efforts:

Humza Ahmand from ENCS for reporting the vulnerability

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2026-06-09):

Publication Date

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.