An attacker with physical access to a Siemens SIPROTEC 5 protection relay can halt its network communications within seconds by flooding the USB port with specially crafted packets. The vulnerability, designated CVE-2025-40570, affects dozens of relay models deployed in transmission and distribution substations worldwide. Siemens has released firmware version V10.0 to close the hole, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging asset owners to patch or lock down physical access immediately.

Vulnerability Deep Dive

The flaw exists because affected devices place no cap on the bandwidth of incoming network traffic over their local USB interfaces. An attacker who plugs in a malicious device—even a USB stick with a high-speed packet generator—can exhaust the relay’s volatile memory, forcing it to stop responding on that port and then automatically reset. The protection function itself remains intact; the device still trips and isolates faults. But the communications plane goes dark, cutting off monitoring, event logging, and remote control until the reset completes.

Siemens classifies the weakness as CWE-770, Allocation of Resources Without Limits or Throttling. CVSS scores sit at 2.4 under both v3.1 and v4.0, reflecting the prerequisite of physical access and the limited impact on confidentiality or integrity. The vector strings highlight the attack path: physical (AV:P), low complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N). Exploitation causes a temporary availability hit (A:L) but no data theft or command injection.

CISA’s advisory, published in mid‑August 2025, explicitly states that the vulnerability is not remotely exploitable. However, the agency and Siemens warn that an insider or contractor with legitimate access to a protection panel or engineering workstation could weaponize the USB port to create confusion during a real grid event or to mask concurrent attacks.

Massive Footprint: Which SIPROTEC 5 Models Are Exposed

Every SIPROTEC 5 variant with an older CP050, CP150, or CP300 communication processor is in scope until updated. Siemens lists more than 30 specific relay types, including:

  • CP300-based lines: 6MD84, 6MD85, 6MD86, 6MD89, 6MU85, 7KE85, 7SA86, 7SA87, 7SD86, 7SD87, 7SJ85, 7SJ86, 7SK85, 7SL86, 7SL87, 7SS85, 7ST85, 7ST86, 7SX85, 7UM85, 7UT85, 7UT86, 7UT87, 7VE85, 7VK87, 7VU85
  • For these CP300 units, affected firmware spans V7.80 up to but not including V10.0 (or, for some, any version prior to V10.0).
  • CP150 and CP050 devices: 7SA82, 7SD82, 7SJ81, 7SJ82, 7SK82, 7SL82, 7SX82, 7SY82, 7UT82, and the Compact 7SX800 (CP050). All are affected when firmware is older than V10.0.

Operators must cross‑reference their installed firmware with the exhaustive table in Siemens’ ProductCERT advisory SSA‑894058, because a few models have different version thresholds. The patch—V10.0 or later—closes the USB bandwidth gate for all listed devices.

Why a Low‑Score USB Flaw Demands Immediate Action

A CVSS score of 2.4 typically relegates a vulnerability to the “low priority” bin. But in industrial control systems, context upends scoring. Three operational realities turn CVE‑2025‑40570 into a high‑stakes risk:

  1. Physical access is more common than defenders assume. Substations often house multiple vendors’ gear behind a single unlocked cabinet. Maintenance crews, third‑party contractors, and remote‑site caretakers may have unsupervised access. A USB port on a relay is an intended engineering interface—locking it down is not standard practice in many utilities.
  2. Communications loss can cascade. Even if the relay’s trip logic keeps running, a temporary loss of event reporting can blind operators to coincident faults, delay grid restoration, or mask a coordinated cyber‑physical attack. SCADA systems may flag the relay as unreachable, triggering unnecessary field dispatches.
  3. Patch cycles in OT are measured in quarters or years. Upgrading firmware on a protection relay requires a maintenance window, interoperability testing with DIGSI 5 engineering software, and sometimes a full outage. Many fleets still run firmware well below V10.0, and some older CPU variants may never receive a fix.

Patching Complexity: Firmware Updates in the Real Grid

Siemens ProductCERT has mapped fixed releases to every affected model, but the path to V10.0 is not a single click. Protection engineers must:
- Obtain the correct firmware package from the Siemens support portal, matching the relay’s CPU type (CP050, CP150, CP300) and the specific model.
- Load the update via the DIGSI 5 toolchain, often during a scheduled outage because the relay reboots after flashing.
- Re‑validate protection settings, communication mappings, and interoperability with station controllers (IEC 61850, DNP3, or Modbus).

Utilities with large fleets may need to stage the rollout over several months. Meanwhile, for models where Siemens has indicated “no fix planned” or “fix not yet available,” operators must rely solely on compensating controls.

Immediate Mitigations for All Affected Devices

Both Siemens and CISA urge a defense‑in‑depth approach while patching progresses:

  • Restrict physical access. Lock relay enclosures, use tamper‑evident seals, log all cabinet openings, and enforce escorts for visitors. For remote sites, deploy cameras or intrusion sensors.
  • Disable unused interfaces. If the USB port is not required for routine maintenance, deactivate it via device configuration. DIGSI 5 allows disabling physical ports on many models.
  • Isolate management networks. Place relays on a dedicated OT V LAN, accessible only through hardened jump hosts. Block all USB‑related traffic profiles at the managed switch if possible.
  • Apply the firmware update. For all models where V10.0 is available, schedule the upgrade using Siemens’ documented procedures. Perform a pilot on a representative device first.
  • Monitor for USB‑triggered resets. Configure your SIEM or OT monitoring platform to alert on repeated relay reboots or unusual USB interface activity. A spike in syslog “link down/link up” messages on the management port may indicate an attack.

CISA reminds asset owners to conduct a proper impact analysis and risk assessment before deploying any defensive measure. The agency’s advisory also points to ICS‑TIP‑12‑146‑01B for detection strategies and emphasizes that VPNs, firewalls, and network segmentation are essential but insufficient if physical access is uncontrolled.

For Windows and IT Teams: Bridging the OT Gap

Many Windows‑based IT teams support the very engineering workstations and jump servers that touch SIPROTEC relays. A few practical steps can harden that boundary:

  • Share asset inventories. Ensure SIPROTEC 5 units appear in the enterprise CMDB alongside their firmware versions and CPU types. Cross‑domain visibility eliminates blind spots.
  • Harden engineering laptops. Enforce removable‑media policies: block USB mass storage or require device control software that logs all USB connections. Keep operating systems and endpoint protection current.
  • Restrict jump‑host paths. Windows servers used for DIGSI 5 or remote access should reside in a dedicated management zone. Log all logins and file transfers; use Privileged Access Management (PAM) sessions to record engineer activity.
  • Validate backup procedures. Before mass patching, confirm that firmware rollbacks and configuration restores work reliably in a lab. A botched update can brick a relay just as surely as an attack.
  • Include OT‑specific playbooks in the SOC. Add detection rules for unexplained USB interface resets, sudden reboots on ICS subnets, or unusual traffic spikes on management VLANs. Train analysts to correlate these events with grid status.

Residual Risks: What Else to Watch For

No public exploit code has surfaced for CVE‑2025‑40570, but history shows that physical‑access attacks often remain private until weaponized by sophisticated actors. Asset owners should plan for scenarios where a malicious insider or a compromised engineering laptop floods multiple relays simultaneously, creating noise that conceals a destructive attack on primary equipment.

Additionally, the automatic reset behavior may vary by firmware revision. Some devices might log the event; others might not. Operators should test a representative sample in a lab to confirm exactly how the relay behaves post‑exhaustion and how long the communications blackout lasts. That data is critical for incident response playbooks.

Finally, the shift in advisory maintenance—CISA now directs users to Siemens ProductCERT for ongoing updates—places a heavier burden on utility security teams to monitor vendor feeds directly. Without a dedicated OT security function, some organizations risk missing critical updates that fall between quarterly CISA round‑ups.

Moving Toward a More Resilient Substation

CVE‑2025‑40570 is not a remote code execution. It won’t ransomware a grid. But it exposes a design assumption that is rapidly becoming obsolete: that a physical port on a field device is inherently trusted. As utilities expand digital substations and connect more devices via USB configuration dongles, security teams must treat every interface as a potential attack vector.

The fix is straightforward: upgrade to V10.0, lock the cabinets, and enforce strict physical access controls. For devices that cannot be updated immediately, those compensating controls are not optional—they are the only shield. Siemens and CISA have provided the roadmap. The remaining risk depends on how quickly the industry moves from advisory to action.