Siemens has disclosed a remotely exploitable denial-of-service vulnerability, tracked as CVE-2024-52504, that affects a wide array of SIPROTEC 4 and SIPROTEC 4 Compact protection relays—and the company has no plans to fix most of the vulnerable models. The flaw, which carries a CVSS v4 score of 8.7, allows an unauthenticated attacker to crash a device by interrupting file transfers, forcing a restart and potentially knocking out critical power grid protection.

The CISA advisory (ICSA-25-226-12), published on August 14, 2025, reiterates Siemens' guidance and underscores the operational risk for electric utilities and industrial power systems worldwide. With many SKUs permanently unpatched, asset owners face a stark choice: isolate and monitor affected devices rigorously or replace them entirely.

What the Vulnerability Is

The root cause is an improper check for unusual or exceptional conditions (CWE-754) related to file-transfer operations. When a file transfer is interrupted, the device fails to gracefully handle the exception, entering a state that can only be recovered by restart. Exploitation requires no authentication or user interaction—just network access to the relay’s file-transfer functionality.

Siemens’ advisory SSA-400089 lists affected models across the SIPROTEC 4 and SIPROTEC 4 Compact families. Examples include the 6MD61/63/66/665, 7SA522, 7SJ61–66, 7SS52, 7ST6, 7UM61/62, 7UT63/612/613, 7VE6, 7VK61, 7VU683, and the Compact 7RW80/7SD80/7SJ80/7SJ81/7SK80/7SK81. For these, the vendor states “currently no fix is planned” or “no fix is available.”

Only three models receive a patch: the 7SA6, 7SD5, and 7SD610, which can be updated to firmware version V4.78 or later. Operators of those devices must schedule updates immediately. For everything else, the exposure is permanent.

Risk Assessment and Real-World Impact

SIPROTEC relays sit at the heart of substation automation, performing protection, control, and measurement tasks. A denial-of-service that forces a restart can:
- Remove protection coverage during fault conditions, increasing the risk of equipment damage or wide-area outages.
- Trigger failover cascades that may destabilize the grid if redundant protections are misconfigured.
- Demand manual intervention—sending a technician to a remote substation—lengthening recovery time and operational cost.

The CVSS vectors confirm exploitability from any network access (AV:N), low attack complexity (AC:L), and no privileges required (PR:N). The primary impact is on availability (VA:H). This combination makes the vulnerability especially dangerous for devices reachable from less-restricted networks, including corporate IT or engineering workstations.

Although no public exploitation has been reported yet, history shows that DoS vulnerabilities in industrial control systems are frequently weaponized once disclosed. Lack of a proof-of-concept today does not mean tomorrow’s script-kiddie or ransomware affiliate won’t find a way.

Mitigations: Patching Is Only Part of the Answer

For the three patchable models, Siemens urges an update to V4.78 or later. But for the majority of affected devices, operators must rely on compensating controls. Both Siemens and CISA recommend:

  • Network segmentation: Ensure protection relays are not reachable from the internet. Isolate them behind firewalls from business networks and untrusted zones.
  • Restricted access: Allow only trusted management hosts to communicate with relays, using strict ACLs and hardened jump servers.
  • Secure remote access: If remote management is unavoidable, use up-to-date VPNs, enforce multi-factor authentication, and limit VPN gateways to specific endpoints.
  • Redundancy validation: Confirm that secondary protection schemes are operational and that failover does not create single points of failure. Test manual restart procedures.
  • Monitoring: Log and alert on repeated failed file transfers, unexplained device restarts, or anomalous management sessions. This serves as a likely indicator of exploitation attempts.

CISA’s advisory also reminds users that as of January 2023, the agency no longer maintains ongoing updates for Siemens product vulnerabilities beyond the initial advisory. Operators must now rely directly on Siemens ProductCERT for any revised guidance—a shift that places the onus on asset owners to actively monitor vendor channels.

Hardening Windows-Centric OT Environments

Many utilities and industrial sites manage SIPROTEC relays from Windows-based engineering stations. These endpoints become an attractive attack vector if not properly hardened. Key steps:

  • Dedicated management workstations: Use purpose-built, patched, and isolated machines not used for email or web browsing.
  • Least privilege: Limit accounts that can initiate file transfers to relays; enforce change-control procedures for uploads/downloads.
  • Centralized logging: Forward engineering station logs to a SIEM or central collector with correlation rules for repeated failure events.
  • Credential hygiene: Avoid storing plaintext passwords; use vaults and MFA where supported.

These measures reduce the risk that a compromised Windows host becomes the entry point for triggering the vulnerability.

Strategic Considerations for Asset Owners

With so many models permanently unfixed, organizations must assess their reliance on SIPROTEC 4 and SIPROTEC 4 Compact devices. Questions to ask:
- Are these devices located in critical substations where a DoS could cause regulatory or safety violations?
- Can network segmentation and monitoring provide a sufficient compensating control?
- What is the lifecycle budget for replacing unsupported devices?

For devices that cannot be patched and are in high-risk positions, architectural isolation—such as placing a security appliance or a protocol break in front of the relay—may be the only viable mitigation short of replacement. Utilities should also consult their protection engineers to verify that redundant designs actually function as intended under a DoS scenario.

A Patchwork Remediation Leaves Grids at Risk

CVE-2024-52504 is a textbook case of the long-tail security challenge in operational technology. Siemens’ decision not to fix the majority of affected SKUs reflects the reality that many industrial devices have firmware that cannot be easily updated or are nearing end-of-life. However, for operators, the risk is immediate. The vulnerability demands immediate action: inventory every SIPROTEC 4 device, apply firmware updates where possible, and deploy layered defenses everywhere else.

The absence of a public exploit should not breed complacency. In a threat landscape where adversaries actively target energy infrastructure, a remotely triggerable DoS affecting protection relays is a dangerous tool—one that could be used to soften a substation before a physical or cyber-physical attack.

Operators should contact Siemens ProductCERT for the most current model-specific guidance and subscribe to ICS-CERT notifications for any future developments. The full CISA advisory is available at https://www.cisa.gov/news-events/ics-advisories/icsa-25-226-12/, and Siemens’ advisory SSA-400089 can be found on the Siemens security site.