Connect with us

Hi, what are you looking for?



Critical Siemens RTU Vulnerability Could Allow Hackers to Destabilize Power Grid

Siemens recently patched a critical vulnerability affecting some of its energy ICS devices that could allow hackers to destabilize a power grid.

Siemens ICS power grid hack

A critical vulnerability affecting some of Siemens’ industrial control systems (ICS) designed for the energy sector could allow malicious hackers to destabilize a power grid, according to the researchers who found the security hole.

The vulnerability, tracked as CVE-2023-28489, impacts the CPCI85 firmware of Sicam A8000 CP-8031 and CP-8050 products, and it can be exploited by an unauthenticated attacker for remote code execution. These products are remote terminal units (RTUs) designed for telecontrol and automation in the energy supply sector, particularly for substations. 

Patches are available in firmware versions CPCI85 V05 or later, and the German industrial giant also noted that the risk of exploitation can be reduced by limiting access to the web server on TCP ports 80 and 443 using a firewall. 

In an advisory published on April 11, Siemens said it learned about the flaw from a team of researchers at cybersecurity consultancy SEC Consult, which is now part of Eviden, an Atos business.

Johannes Greil, head of the SEC Consult Vulnerability Lab, told SecurityWeek that an attacker who can exploit CVE-2023-28489 can take complete control of a device and they could potentially destabilize a power grid and possibly even cause blackouts by changing critical automation parameters. Threat actors could also leverage the vulnerability to implement backdoors.

However, the expert noted that since these devices are mostly used in critical infrastructure environments, they are typically ‘strongly firewalled’ and are not accessible directly from the internet. 

“It cannot be ruled out though that some devices might be reachable through 3rd party support access connections or potential misconfigurations,” Greil explained. 

Exploitation of CVE-2023-28489 can allow an attacker who has network access to the targeted device to gain full root access without any prior authentication. Exploitation of the flaw involves sending a specially crafted HTTP request to the targeted RTU. 

Advertisement. Scroll to continue reading.

The US Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory in April to inform organizations about the vulnerability. 

Greil pointed out that Siemens Sicam products are among the first devices in the world to receive ‘maturity level 4’ certification in the Industrial Cyber Security category. This certification, IEC62443-4-1, indicates that security was an important factor throughout the design and development process and that the product has undergone rigorous testing. 

SEC Consult is currently not releasing any technical details to prevent malicious hackers from potentially misusing the information. 

However, the company told SecurityWeek that it has found multiple vulnerabilities in Siemens products that are in the process of being fixed and some technical details will be disclosed after patches are rolled out. 

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta

Related: Microsoft Warns of Boa Web Server Risks After Hackers Target It in Power Grid Attacks

Related: Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm

Related: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.