CVE-2024-52504 in SIPROTEC 4 6MD61
Summary
by MITRE • 08/12/2025
A vulnerability has been identified in SIPROTEC 4 6MD61 (All versions), SIPROTEC 4 6MD63 (All versions), SIPROTEC 4 6MD66 (All versions), SIPROTEC 4 6MD665 (All versions), SIPROTEC 4 7SA522 (All versions), SIPROTEC 4 7SA6 (All versions < V4.78), SIPROTEC 4 7SD5 (All versions < V4.78), SIPROTEC 4 7SD610 (All versions < V4.78), SIPROTEC 4 7SJ61 (All versions), SIPROTEC 4 7SJ62 (All versions), SIPROTEC 4 7SJ63 (All versions), SIPROTEC 4 7SJ64 (All versions), SIPROTEC 4 7SJ66 (All versions), SIPROTEC 4 7SS52 (All versions), SIPROTEC 4 7ST6 (All versions), SIPROTEC 4 7UM61 (All versions), SIPROTEC 4 7UM62 (All versions), SIPROTEC 4 7UT612 (All versions), SIPROTEC 4 7UT613 (All versions), SIPROTEC 4 7UT63 (All versions), SIPROTEC 4 7VE6 (All versions), SIPROTEC 4 7VK61 (All versions), SIPROTEC 4 7VU683 (All versions), SIPROTEC 4 Compact 7RW80 (All versions), SIPROTEC 4 Compact 7SD80 (All versions), SIPROTEC 4 Compact 7SJ80 (All versions), SIPROTEC 4 Compact 7SJ81 (All versions), SIPROTEC 4 Compact 7SK80 (All versions), SIPROTEC 4 Compact 7SK81 (All versions). Affected devices do not properly handle interrupted operations of file transfer. This could allow an unauthenticated remote attacker to cause a denial of service condition. To restore normal operations, the devices need to be restarted.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/12/2025
This vulnerability affects a wide range of Siemens SIPROTEC 4 protective relays and control devices across multiple product lines including 6MD61, 6MD63, 6MD66, 6MD665, 7SA522, 7SA6, 7SD5, 7SD610, 7SJ61, 7SJ62, 7SJ63, 7SJ64, 7SJ66, 7SS52, 7ST6, 7UM61, 7UM62, 7UT612, 7UT613, 7UT63, 7VE6, 7VK61, 7VU683, 7RW80, 7SD80, 7SJ80, 7SJ81, 7SK80, and 7SK81 models. The vulnerability stems from improper handling of interrupted file transfer operations within these industrial control systems. From a cybersecurity perspective, this represents a significant weakness in the device's fault tolerance mechanisms and operational resilience. The flaw specifically manifests when file transfer operations are terminated unexpectedly, creating a condition where the device cannot properly recover from such interruptions. This behavior aligns with CWE-400 vulnerability class related to unchecked resource consumption and potentially leads to denial of service conditions. The attack vector is particularly concerning as it allows unauthenticated remote exploitation, meaning an attacker can trigger the vulnerability from outside the device's network boundary without requiring valid credentials or prior access. This remote attack capability significantly increases the threat surface and potential impact of the vulnerability.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise industrial control system reliability and safety. When affected devices experience denial of service conditions, they become non-operational and require manual restart to restore functionality. This is particularly problematic in critical infrastructure environments where continuous operation is essential for process control and safety systems. The need for device restarts creates operational downtime that can affect production processes, safety monitoring, and overall system availability. In industrial environments, such disruptions can lead to cascading failures, safety system degradation, or even hazardous conditions if protective relays fail to operate correctly during critical events. The vulnerability's presence in multiple product variants across different device families indicates a systemic issue in the software architecture rather than isolated component failure. This widespread impact suggests that the underlying flaw exists in core firmware or software components shared across these device types, making the vulnerability particularly dangerous for organizations operating large deployments of these protective relays.
Organizations should implement immediate mitigations to address this vulnerability while awaiting official firmware updates from Siemens. Network segmentation and access controls should be strengthened to limit potential attack vectors and prevent unauthorized remote access to affected devices. The implementation of network monitoring solutions to detect unusual file transfer patterns or device behavior can help identify potential exploitation attempts. Security teams should also consider disabling unnecessary network services and implementing robust firewall rules to restrict communication to only essential traffic. From an operational perspective, organizations should develop and test incident response procedures specifically for this vulnerability, including protocols for device restart procedures and system recovery. The vulnerability's classification under ATT&CK framework would likely map to T1499.004 (Endpoint Denial of Service) and potentially T1566.001 (Phishing) if exploitation involves social engineering to gain initial access. Regular vulnerability assessments and penetration testing should be conducted to identify similar weaknesses in other industrial control system components. Device inventory management should be enhanced to track all affected models and ensure timely firmware upgrades are deployed. The remediation process should include thorough testing of firmware updates in controlled environments before deployment to production systems to prevent introducing new operational issues. Additionally, organizations should review their overall industrial cybersecurity posture and consider implementing more robust security monitoring and incident response capabilities for their protective relay systems.