CISA Warns of Arbitrary File Upload Flaw in Siemens SIPROTEC 5 Devices Allowing Code Execution
CISA disclosed CVE-2025-40808, a high-severity arbitrary file upload vulnerability in Siemens SIPROTEC 5 relays that could let authenticated attackers achieve code execution and denial of service across critical infrastructure.
CISA published an advisory on June 24, 2026, warning of a critical vulnerability in Siemens SIPROTEC 5 digital protection relays that use the DIGSI 5 protocol. Tracked as CVE-2025-40808 and carrying a CVSS v3.1 base score of 6.1, the flaw allows authenticated users to upload arbitrary files via the DIGSI 5 interface, potentially enabling an attacker to inject malicious configuration files that could cause a permanent denial of service condition and, in some scenarios, lead to code execution.
The vulnerability affects a sweeping range of SIPROTEC 5 models spanning multiple hardware platforms, including the CP050, CP100, CP150, CP200, and CP300 variants. The full list of impacted devices includes over 70 distinct product types, such as the 6MD84, 6MD85, 6MD86, 7SA82, 7SD86, 7SJ81, 7SK82, 7SL86, 7ST85, 7UT82, and many others, all running all versions of their respective firmware. These relays are deployed globally across critical infrastructure sectors including energy, transportation systems, critical manufacturing, healthcare, financial services, and government facilities.
The core issue lies in the DIGSI 5 protocol's handling of file uploads. The affected application does not properly restrict the types of files that authenticated users can upload, allowing an attacker to send malicious configuration files to the device. Once uploaded, these files can corrupt the device's operational state, leading to a denial of service condition. In more severe cases, the vulnerability could be chained to achieve arbitrary code execution on the relay, giving an attacker full control over the protective relay.
Siemens has released firmware updates to address the vulnerability. Users of the CP050 and CP150 device models are advised to upgrade to version 9.90 or later. For CP300 device models, the 7ST85 and 7ST86 variants must upgrade to version 10.00 or later, while all remaining CP300 models should move to version 9.90 or later. These firmware versions introduce an allow-list feature that restricts arbitrary file uploads, effectively blocking the attack vector. For products where fixes are not yet available, Siemens recommends applying password protection to all DIGSI connections and provisioning custom certificates signed by the customer's own PKI to ensure secure communication.
The advisory underscores the persistent challenge of securing industrial control systems that rely on legacy protocols. The DIGSI 5 protocol is widely used for configuring and maintaining Siemens protection relays, and the ability to upload arbitrary files without proper validation represents a significant risk to grid stability. CISA urges organizations to review the advisory and apply the recommended mitigations immediately, particularly for devices in high-impact environments such as power substations and manufacturing plants.
This disclosure follows a pattern of recent CISA advisories targeting Siemens industrial equipment, including a critical OpenSSL buffer overflow affecting SCALANCE routers and a WinCC Certificate Manager vulnerability that exposed sensitive key material. The breadth of the affected product line — spanning dozens of relay models — means that even a single unpatched device could serve as an entry point for attackers targeting critical infrastructure.
Organizations should prioritize upgrading affected SIPROTEC 5 devices to the patched firmware versions and implement the recommended DIGSI connection security measures. Given the severity of the vulnerability and the potential for code execution, this advisory should be treated as a high-priority action item for any facility using Siemens protection relays.