Siemens has confirmed that multiple models in its SICAM Q100 and Q200 power meter families store SMTP account passwords in plaintext, a design flaw that lets any authenticated local user extract email credentials directly from the device or from exported configuration backups. The vulnerabilities, tracked as CVE-2025-40752 and CVE-2025-40753, carry a CVSS v4 base score of 6.8 and affect firmware versions prior to V2.62 for Q100 and prior to V2.80 for Q200. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) republished the advisory on April 14, 2025, urging asset owners in the energy sector to patch immediately and implement network segmentation.
This is not a theoretical concern. The SICAM Q-series is widely deployed in electrical utilities for power metering, telemetry, and alarm notification. Many of these devices sit on operational technology (OT) networks that have limited separation from corporate IT systems or third‑party management channels. A stolen SMTP password can be used to relay email, launch phishing campaigns from a trusted address, exfiltrate sensitive logging data, or pivot deeper into connected networks.
What the Advisory Reveals
Siemens ProductCERT originally published the advisory as SSA‑529291, and CISA’s republication underscores the risk to critical infrastructure. The core weakness is classified as CWE‑312: Cleartext Storage of Sensitive Information. Two distinct attack vectors were assigned separate CVE identifiers:
- CVE-2025-40752 – The SMTP password is stored as plaintext on the device itself. An attacker who can log in locally, either through physical access or a remote management session, can read the credential directly from the filesystem or device configuration.
- CVE-2025-40753 – The password is included in cleartext inside exported configuration files. These files are routinely created for backup or device transfer, creating a secondary exposure path if the files are stored, transmitted, or shared insecurely.
Both vulnerabilities have a CVSS v4 score of 6.8, with a vector string indicating a local attack vector (AV:L), low attack complexity (AC:L), and high confidentiality impact (VC:H). While the score may seem moderate, it does not account for the reality of OT environments, where “local” access can often be achieved remotely via engineering workstations, VPNs, or poorly segmented jump hosts.
Affected Products and Firmware
Siemens explicitly lists the following hardware and version ranges as vulnerable:
| Product | Affected Versions | Remediation |
|---|---|---|
| POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) | 2.60 ≤ version < 2.62 | Update to V2.62 or later |
| POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) | 2.60 ≤ version < 2.62 | Update to V2.62 or later |
| POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) | 2.60 ≤ version < 2.62 | Update to V2.62 or later |
| POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) | 2.60 ≤ version < 2.62 | Update to V2.62 or later |
| POWER METER SICAM Q200 family | 2.70 ≤ version < 2.80 | Update to V2.80 or later |
Operators should verify exact part numbers and firmware revisions against the Siemens ProductCERT advisory to ensure coverage.
How an Attacker Can Abuse Exposed SMTP Credentials
The practical fallout goes far beyond a simple password disclosure. Once an adversary obtains the SMTP credentials, several realistic attack scenarios emerge, especially in energy‑sector environments where email‑based alarms are common:
- Relay Abuse and Reputation Damage – The compromised account can be used to send spam or phishing emails from a legitimate utility domain. This can cause the organization’s email servers to be blocklisted and erode trust with customers and partners.
- Targeted Phishing – Attackers can craft convincing messages to internal employees, leveraging the trusted sender address to harvest credentials or trick users into fraudulent wire transfers.
- Data Exfiltration – If the meter is configured to send logs or alarms via email, an attacker could redirect those messages to an external address or manually extract copies of configuration files, operational data, or network diagrams.
- Lateral Movement – In environments where OT and IT share credentials or trust relationships, the stolen password might grant access to other systems. Even if unique, control over an SMTP relay can be a stepping stone for deeper network intrusion.
- Stealthy Persistence – Email‑based activity from a device that typically sends only alerts can blend into normal traffic, making detection difficult in networks that lack robust monitoring of OT‑originated SMTP flows.
These scenarios are not hypothetical. The energy sector’s reliance on email for alerting, combined with often‑limited logging of OT mail traffic, creates a perfect cover for malicious activity.
CISA and Siemens Recommendations
The primary fix is a firmware update that eliminates the plaintext storage and export of SMTP credentials:
- SICAM Q100: Upgrade to V2.62 or later.
- SICAM Q200: Upgrade to V2.80 or later.
Both CISA and Siemens stress that firmware updates should be applied promptly, but they also outline compensating controls for environments where immediate patching is impossible.
Compensating Controls
- Rotate SMTP Credentials Immediately – Change the password on the associated email account, and re‑rotate after patching to invalidate any previously exposed secrets.
- Limit Account Privileges – Use a dedicated, low‑privilege SMTP account that can only send alert emails, with no mailbox access or broader permissions.
- Block Direct Outbound SMTP – Restrict devices to sending mail only through a central, monitored relay. Deny direct outbound SMTP from OT subnets at the firewall.
- Secure Configuration Backups – Encrypt exported configuration files and store them in access‑controlled, audited locations. Delete any unprotected copies found on file shares or engineering workstations.
- Network Segmentation – Place SICAM devices on isolated OT VLANs with strict access control lists (ACLs) that limit who can authenticate locally. Remove default credentials and enforce role‑based access.
- Monitor SMTP Traffic – Enable logging on mail relays and create alerts for unusual send volumes, recipients outside the organization, or configuration export events from device IPs.
Detection and Response Checklist
For security teams looking to operationalize the defensive guidance, a practical checklist can help:
- Inventory: Identify every SICAM Q100/Q200 device and record its current firmware version.
- Log Review: Search for configuration export events, anomalous logins, and unexpected outbound SMTP connections sourced from meter IPs.
- File Audit: Scan file servers, engineer laptops, and backup repositories for any
.cfgor export files that may contain plaintext credentials. - Credential Hygiene: Verify whether the SMTP account is unique to the device and not reused elsewhere. If it is, rotate those credentials as well.
- Patch Schedule: Test the firmware update on a non‑production unit, then schedule a maintenance window for each affected device. Prepare back‑out plans and ensure new backups are encrypted.
- Verify: After patching, confirm that configuration exports no longer contain plaintext passwords and that on‑device storage is protected.
Operational Challenges in OT Patching
Updating firmware on industrial meters is rarely as simple as pushing a software update to a server. These devices are often physically remote, embedded in substations or distribution cabinets, and subject to stringent uptime requirements. A rushed patch can introduce compatibility issues with upstream SCADA systems or violate service‑level agreements. Energy operators should follow a structured approach:
- Test Bench Validation – Deploy the new firmware in a lab that mirrors the production environment to catch any integration problems.
- Staged Rollout – Start with less‑critical sites, then expand to primary assets after confirming stability.
- Communication – Notify all stakeholders, including field technicians and vendor support, about the change windows and any required procedural adjustments.
- Backup Integrity – Ensure that post‑patch configuration backups do not reintroduce plaintext credentials. If the update changes the export format, verify that sensitive fields are masked or encrypted.
For organizations that rely on third‑party maintenance providers, it is essential to include secure handling of configuration files in service‑level contracts. Technicians often export device configurations for troubleshooting; those files must be encrypted in transit and deleted after use.
Broader Lessons for Industrial Security
The SICAM vulnerability is not an isolated incident. Cleartext credential storage recurs across OT devices, partly because many were designed in an era when air‑gapped networks were the norm. Today, even isolated networks can be breached via infected USB drives, compromised engineering laptops, or poorly configured remote access. This advisory should serve as a catalyst for broader architectural improvements:
- Centralize Alerting – Route all device‑originated email through a single, hardened mail relay. This reduces the number of credentials stored on endpoints and simplifies monitoring.
- Adopt Credential Vaults – Where feasible, integrate devices with a secrets manager or secure store so they never embed passwords in configuration files.
- Enforce Change Control – Treat configuration exports as sensitive artifacts. Require approvals before export, and log every instance.
- Harden Management Access – Enforce multi‑factor authentication (MFA) on engineering workstations, limit local accounts, and audit all device logins.
- Monitor File Integrity – Deploy tools that detect unauthorized configuration changes or unexpected firmware exports.
Risk Evaluation for Different Stakeholders
Not every utility will face the same threat profile. Organizations should prioritize based on their specific architecture:
- Large Utilities with Interconnected Networks – If OT and IT networks have any trust relationships, or if third‑party vendors have remote access to meters, the risk is elevated. Treat this as a high‑priority patch.
- Operators with Strict Air Gaps – If devices are completely isolated and local access is strictly controlled, the immediate risk is lower, but the advisory still warrants a scheduled fix and credential rotation.
- Managed Service Providers – Companies that administer meters for multiple clients must ensure that exported configurations are protected end‑to‑end and that firmware updates are coordinated transparently.
Siemens and CISA note that, as of the advisory publication, no public exploitation of these CVEs had been reported. However, absence of evidence is not evidence of safety; credential harvesting in OT often goes undetected for months. Proactive remediation is always cheaper than incident response.
Strengths and Limitations of the Response
Siemens’ ProductCERT handled the disclosure professionally: the advisory is clear, assigns separate CVEs for each variant, and provides specific firmware versions. CISA’s amplification alerts the broader critical infrastructure community. The availability of a vendor‑supplied fix removes any excuse for indefinite delay.
That said, the vulnerabilities’ local nature can lull some operators into complacency. In practice, “local” access in 2025 often means remote access through a VPN, a compromised vendor laptop, or an insider threat. Moreover, legacy fleets and budget‑constrained municipalities may lack the resources for immediate firmware updates, leaving these meters exposed for years.
Immediate Actions for the Next 30 Days
A practical playbook for any utility with SICAM Q100/Q200 devices:
- Week 1: Complete inventory and firmware audit. Apply temporary network controls (egress filtering, tightened ACLs) to limit SMTP traffic and remote access.
- Week 2: Rotate SMTP credentials on all affected devices and begin searching for exported configuration files in insecure locations.
- Week 3: Test firmware updates in a lab and schedule maintenance windows for production devices.
- Week 4: Deploy patches, verify that plaintext passwords are no longer stored or exported, and revoke any previously exposed credentials.
After patching, maintain heightened monitoring of SMTP flows for at least one month to detect any lingering misuse.
Conclusion
The SICAM Q100/Q200 cleartext credential vulnerabilities are a blunt reminder that security fundamentals still lag in critical infrastructure. A simple password stored in plaintext can unravel years of network hardening if an attacker gains local access through a phishing email or a misconfigured remote support tool. The fix is straightforward, but the operational discipline to execute it safely—while rotating credentials, securing backups, and monitoring for abuse—is what separates a resilient OT environment from one waiting for a breach.
Operators should not wait for a public exploit to surface. The advisory provides all the information needed: affected versions, updated firmware targets, and complementary hardening measures. Now it is on asset owners to act.
For full technical details, refer to Siemens ProductCERT advisory SSA‑529291 and the CISA alert ICSA‑25‑226‑16.