CISA has elevated a Siemens advisory on CVE-2025-40808, warning that authenticated attackers can abuse the DIGSI 5 engineering protocol to upload arbitrary files to a broad range of SIPROTEC 5 protection relays. The June 23, 2026 re-released advisory stresses that while exploitation requires valid user credentials, the potential impact on electrical grid operations makes this a high-severity concern for critical infrastructure.

The vulnerability sits at the intersection of industrial control system (ICS) security and power system reliability. SIPROTEC 5 devices are deployed worldwide in transmission and distribution substations to provide protection, automation, and monitoring. They are the digital guardians of power flow, tripping breakers and isolating faults in milliseconds. Any compromise of these devices can cascade into widespread outages.

What Are SIPROTEC 5 and DIGSI 5?

SIPROTEC 5 is Siemens’ fifth-generation platform for protection relays, bay controllers, and monitoring units. The family spans dozens of models—from overcurrent to differential protection—all configurable via a single engineering tool: DIGSI 5. This software allows engineers to set parameters, upload firmware, and manage device configurations. Communication between DIGSI 5 and SIPROTEC 5 devices uses a proprietary protocol designed specifically for this engineering interface.

Engineers rely on DIGSI 5 to perform critical tasks remotely, often over substation local-area networks or even wide-area connections. The protocol supports file transfers for firmware updates, configuration dumps, and parameter files. It is within this file-upload functionality that CVE-2025-40808 resides.

Vulnerability Details

The core issue is an improper input validation flaw in the file-upload mechanism of the DIGSI 5 protocol. An authenticated user—someone who has successfully logged in to a SIPROTEC 5 device—can send crafted file-upload requests that bypass normal checks on file type, name, or destination. The advisory explicitly states that “authenticated users can upload arbitrary files.”

Siemens has assigned CVE-2025-40808 to track this flaw. While the CISA advisory excerpt does not disclose a CVSS score, authenticated arbitrary file-upload vulnerabilities typically rank in the high severity range (8.0–8.8) because they can lead to remote code execution. If an attacker replaces a legitimate firmware image or configures the device to execute uploaded scripts, they could seize full control of the relay.

This is not a zero-click attack. The attacker must first authenticate. That prerequisite lowers the immediate criticality somewhat, but in many operational environments, credentials are shared among maintenance teams, logged into devices via jump hosts, or left at factory defaults. Lateral movement from a compromised engineering workstation or a stolen VPN credential could provide an attacker all the authentication needed.

Affected Products

The advisory covers “many SIPROTEC 5 protection devices.” Based on Siemens’ typical approach, this likely includes the following series:

  • SIPROTEC 5 7SJ8 (overcurrent and feeder protection)
  • SIPROTEC 5 7SA8 (distance protection)
  • SIPROTEC 5 7SD8 (line differential protection)
  • SIPROTEC 5 7UT8 (transformer protection)
  • SIPROTEC 5 7VK8 (breaker management)
  • Bay control units (7SJ80, etc.)

All devices running firmware versions prior to the fixed release are considered vulnerable. The advisory likely specifies a firmware update that patches the flaw. Exact version numbers were not included in the excerpt we received, but Siemens generally publishes these details in its ProductCERT notification.

Attack Scenario and Exploit Impact

Once an attacker has valid DIGSI 5 credentials—obtained through phishing, credential stuffing, or simply harvesting them from an unsecured configuration file—they can connect to a SIPROTEC 5 device over TCP/IP. The protocol typically uses port 102 or 502, though the exact port for DIGSI 5 varies by configuration. From there, the attacker submits a malicious file-upload request. The device processes the file without sufficient validation, storing it in a location where it may be automatically executed or integrated into the device’s operating environment.

Possible file types include:
- Malicious firmware images that replace the relay’s runtime code.
- Scripts or configuration files that alter protection logic, causing the relay to ignore faults or trip inappropriately.
- Persistent backdoors that survive reboots and patches.
- Data exfiltration tools that siphon sensitive operational parameters.

The practical damage ranges from nuisance tripping to catastrophic blackouts. An attacker could, for example, modify differential protection settings so that a fault on a critical transmission line goes undetected, eventually causing equipment damage. Alternatively, they could trigger a false trip during peak demand, destabilizing the grid. Because SIPROTEC 5 devices often participate in IEC 61850 GOOSE messaging, a compromised relay could inject forged packets that cascade across the substation network.

Mitigation and Recommendations

Siemens has released a firmware update that addresses CVE-2025-40808. The primary recommendation is to apply this update immediately. CISA echoes this and adds a layered set of defensive measures:

  • Patch promptly: Upgrade all SIPROTEC 5 devices to the fixed firmware version. Check Siemens’ ProductCERT portal for the applicable release.
  • Network segmentation: Place engineering access (DIGSI 5 traffic) on a dedicated, isolated network segment. Use firewalls to block DIGSI 5 protocol traffic from IT networks and the internet.
  • Strong authentication: Enforce complex, unique credentials for each device. Use centralized authentication (RADIUS, LDAP) where supported. Disable default accounts.
  • Least privilege: Limit user roles so that only a minimal number of accounts have file-upload rights. Audit and rotate credentials regularly.
  • Monitor and detect: Instrument networks to flag unusual DIGSI 5 file-upload activity. Look for unexpected connections, large file transfers, or changes in firmware checksums.
  • Physical security: Prevent unauthorized physical access to substations, as some DIGSI 5 interactions can be carried out via front-panel ports.

CISA also recommends implementing a robust system backup and recovery plan. Since the vulnerability requires authentication, reviewing access logs for suspicious logins can help identify potential exploitation before damage occurs.

The Bigger Picture for Grid Security

The emergence of CVE-2025-40808 underscores a widening threat surface in electric power systems. Digitization with protocols like DIGSI 5, IEC 61850, and vendor-specific engineering interfaces brings efficiency but also expands the attack vector set. Adversaries—nation-state groups, criminal actors, and hacktivists—are increasingly targeting ICS components. A March 2026 joint advisory from Five Eyes intelligence agencies highlighted a rise in cyber operations against substation automation gear.

Siemens has a mature vulnerability handling program, and the speedy issuance of this advisory with a CVE demonstrates coordinated disclosure. However, the defense of these devices often lags. Many utilities operate on long upgrade cycles, and relays installed a decade ago may still run insecure firmware. The gap between advisory publication and field remediation can stretch years, leaving grids exposed.

The authentication requirement, while a mitigating factor, is not a silver bullet. The 2023 Colonial Pipeline attack demonstrated how compromised credentials can unravel even well-defended networks. In ICS environments, where availability often trumps security, credentials are rarely hardened. A single stolen engineering laptop could provide the keys to dozens of SIPROTEC 5 devices.

Moving Forward

Utilities and transmission operators should treat this advisory with urgency. Beyond patching CVE-2025-40808, a thorough review of how DIGSI 5 is used across the enterprise is warranted. Deploying application-layer gateways that restrict the DIGSI 5 protocol to legitimate operations can add a safety net. For asset owners unable to patch immediately, network microsegmentation and strict access controls are essential stopgaps.

Manufacturers must also evolve. Future DIGSI protocol iterations should incorporate input sanitization by design, enforced by the protocol stack rather than relying on application-layer checks. Cryptographic signing of firmware files and mutual authentication could further reduce the blast radius of such flaws.

CVE-2025-40808 is a wake-up call—not the first and certainly not the last—that securing engineering interfaces is as critical as securing operational networks. In an age where the grid is both a physical and digital backbone, every authenticated file upload is a potential pivot point for adversaries. The window between disclosure and exploitation is shrinking; the time to act is now.