Operators of Siemens SIPROTEC 5 protection relays must urgently assess and patch their devices after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) amplified a alert about a serious session hijacking vulnerability. The flaw, tracked as CVE-2024-54017, stems from the devices generating insufficiently random session identifiers, which could let an attacker take over authenticated web sessions and manipulate critical protection settings. With these relays deployed across electrical substations worldwide, the potential fallout includes unauthorized tripping, delayed fault clearance, or even cascading grid instability.

CISA republished Siemens ProductCERT advisory SSA-786884 on May 14, 2026, signaling the ongoing risk to critical infrastructure. The original advisory first appeared in early 2025, but many asset owners have yet to apply the necessary firmware updates or compensations. Because these devices often sit in physically isolated OT environments, security teams frequently overlook them until regulators or incidents force action. That complacency is precisely what threat actors count on.

What Makes CVE-2024-54017 So Dangerous

The core issue lies in the weak pseudo‑random number generator (PRNG) used to create session cookies and URL tokens within the SIPROTEC 5’s embedded web server. Instead of leveraging a cryptographically secure random source, the firmware relies on predictable algorithms seeded with time‑of‑day or easily guessable values. An attacker who can observe a single valid session identifier—for example, by sniffing unencrypted HTTP traffic or performing a man‑in‑the‑middle attack—can then predict subsequent identifiers and impersonate a legitimate engineer.

Once hijacked, the session gives the attacker the same privileges as the legitimate user. That typically includes the ability to:

  • Modify protection parameters (overcurrent thresholds, distance zones, reclosing sequences)
  • Issue trip or close commands to circuit breakers
  • Disable or enable protection functions
  • Upload malicious firmware or configuration files
  • Extract sensitive grid topology data

Unlike enterprise IT systems, OT devices rarely employ additional layers like MFA or behavioral analytics. A successful session hijack therefore provides a direct path to operational impact.

Affected Product Lines and Firmware Versions

Siemens has confirmed that all SIPROTEC 5 series devices running firmware versions V7.80 and earlier are vulnerable. The affected product families include:

  • 7SA86, 7SD86, 7SL86, 7SJ86, 7SK85, 7VE85, 7VK87, 7VU85 (distance and differential protection)
  • 7SA87, 7SD87, 7SL87, 7SJ87 (multi‑functional protection)
  • 7KE85 (bay controller)
  • 7XS850 (SICAM A8000 extension modules)

Siemens has released firmware V7.82 to address CVE‑2024‑54017. The patch replaces the weak PRNG with a Cryptographically Secure Pseudo‑Random Number Generator (CSPRNG) and introduces proper session expiration management. If upgrading is not possible immediately, Siemens advises disabling the integrated web server (if not required) or restricting access to trusted management networks via firewalls and jump hosts.

Why OT Session Hijacking Is a Grid‑Level Threat

SIPROTEC 5 relays perform critical protection, automation, and control roles inside substations. A compromised relay can:

  1. Initiate false trips: An attacker could open a breaker, causing unnecessary outages. Repeated operations stress equipment and erode public confidence.
  2. Disable protection: By turning off differential or overcurrent settings, the attacker exposes transformers and lines to severe damage during actual faults.
  3. Create blind spots: Altering event logging and disturbance records lets an adversary hide their tracks and mask other malicious activities.
  4. Move laterally: Once inside the relay, an attacker may pivot to other IEDs, RTUs, or SCADA systems using the device’s communication protocols (IEC 61850, DNP3).

Because many utilities still rely on flat, unsegmented OT networks, a single compromise can quickly spread. Even worse, many SIPROTEC 5s are directly reachable from corporate IT networks due to misconfigured jump servers or overly permissive firewall rules.

Real‑World Exploitation Scenarios

Security researchers have demonstrated practical attacks against similar session‑management flaws in industrial devices. In controlled tests, they captured HTTP traffic between an engineer’s laptop and a relay, extracted the session cookie, and predicted the next valid cookie within minutes. Using that cookie, they accessed the relay’s web interface from a different IP address without triggering any alarms.

While no publicly reported incidents of CVE‑2024‑54017 being exploited in the wild exist as of this writing, the window of exposure is narrowing. Ransomware groups have increasingly targeted OT, and nation‑state actors routinely scan for known vulnerabilities in grid equipment. For example, the 2022 Pipedream malware toolkit specifically targeted Siemens and Schneider Electric devices, proving that attackers are actively developing OT‑centric exploits.

Immediate Steps for OT Security Teams

Siemens and CISA recommend a multi‑layered approach that goes beyond simply patching:

1. Apply the Firmware Update (V7.82)

This is the definitive fix. Schedule a maintenance window and upgrade all affected relays. Verify the firmware checksum and test protection functions after the update.

2. Disable Unnecessary Web Interfaces

If the local HMI or remote engineering is not required, disable the web server entirely via the device configuration. This removes the attack surface outright.

3. Segment and Micro‑segment OT Networks

Place SIPROTEC 5s in dedicated VLANs or firewall zones. Allow only authorized engineering workstations (EWS) to communicate with them, preferably over an encrypted channel like SSH or VPN. Use a bump‑in‑the‑wire encryption device if the relay does not natively support TLS for web traffic.

4. Monitor for Anomalous Sessions

Deploy OT‑aware intrusion detection systems (IDS) that can baseline normal engineering activity. Look for sudden spikes in web requests, access from unexpected IPs, or unusual configuration changes. Implement centralized logging from all relays to a SIEM.

5. Enforce Strict Access Control

Use role‑based access control (RBAC) on the relays, creating separate accounts for view‑only, operator, and engineer roles. Ensure each user has a unique, strong password—never share engineering accounts. Consider hardware tokens for jump‑server authentication.

6. Review and Harden IEC 61850 and DNP3 Interfaces

While the vulnerability is in the web interface, other protocols also carry session‑like tokens. Ensure that MMS and DNP3 secure authentication are enabled where possible, and audit the allowed commands lists.

7. Conduct a Supply‑Chain Review

If you rely on third‑party integrators who remotely access relays, verify that their connections are tunneled over IPsec or TLS, and that they consistently use the patched firmware. Include these requirements in maintenance contracts.

Challenges Unique to the OT Environment

Patching protection relays is never trivial. Utilities often operate under strict change‑management procedures that require months of planning. A single misstep during an upgrade can cause an unexpected trip, potentially violating regulatory obligations. Moreover, many substations are unstaffed, forcing field crews to travel on‑site—a logistical headache that discourages frequent updates.

Compounding the problem, asset inventories are frequently outdated. Operators may not know exactly which relay types or firmware versions are installed in remote substations. Without an accurate asset‑management database, identifying all affected devices becomes nearly impossible. CISA’s advisory explicitly urges asset owners to perform a comprehensive inventory as the foundation of any mitigation effort.

Regulatory Pressure Is Mounting

In the United States, NERC CIP standards require utilities to identify and mitigate vulnerabilities within 120 days for high‑impact assets. Failure to address CVE‑2024‑54017 could be seen as a violation, potentially leading to fines of up to $1.5 million per day per violation. Similar deadlines exist under the EU’s NIS2 directive, which now classifies many energy companies as essential entities.

Beyond compliance, insurance carriers are raising the bar. Cyber insurers are increasingly denying coverage for incidents tied to known, unpatched vulnerabilities. In a recent AXA survey, 42% of industrial energy companies reported that their insurer had inquired about specific CVEs during underwriting. Keeping a vulnerable SIPROTEC 5 in production reckons a denial of a legitimate claim after an incident.

This isn’t the first time Siemens relays have drawn security scrutiny. In 2023, CVE‑2023‑43624 exposed a similar authentication bypass in the SIPROTEC 5’s SSH service. That pattern—weak authentication and session management bugs in OT devices—shows no signs of abating. As vendors rush to add Ethernet connectivity and web‑based HMI to every device, they often recycle decades‑old firmware with limited security features.

The research community is taking notice. Conferences like S4 and ICS Village regularly feature live‑hacking demonstrations against relays, and tools like Energize have made protocol‑level fuzzing more accessible. In this environment, CVE‑2024‑54017 is unlikely to remain unexploited for long.

What Siemens Is Doing Beyond the Patch

Siemens has issued updated hardening guidelines (available in the SIMATIC Security Recommendations document) and offers a free “Security Check” service for critical infrastructure clients. The company also plans to integrate CSPRNG and secure session management by default in the next major release, SIPROTEC 5 V8.00, expected in late 2026. In the meantime, they are conducting targeted outreach to national CERTs and industry ISACs to expand awareness.

The Bottom Line for OT Decision Makers

CVE‑2024‑54017 is a textbook case of “patch or perish.” The fix is available, the attack vector is well understood, and the potential impact is severe. Procrastination carries unacceptable risk. Even if you can’t upgrade immediately, you must implement compensating controls—disable web services, lock down firewall policies, and intensify monitoring. Document all measures carefully; regulators and insurers are watching.

Secure session management isn’t a luxury in the OT world anymore. It’s a prerequisite. The sooner grid operators treat their relays like the critical digital assets they’ve become, the sooner the sector can close the window on this and similar vulnerabilities.