{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/siprotec-5-7sa87-cp200/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":5.3,"id":"CVE-2024-54017"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SIPROTEC 5 6MD84 (CP300)","SIPROTEC 5 6MD85 (CP200)","SIPROTEC 5 6MD85 (CP300)","SIPROTEC 5 6MD86 (CP200)","SIPROTEC 5 6MD86 (CP300)","SIPROTEC 5 6MD89 (CP300)","SIPROTEC 5 6MU85 (CP300)","SIPROTEC 5 7KE85 (CP200)","SIPROTEC 5 7KE85 (CP300)","SIPROTEC 5 7SA82 (CP100)","SIPROTEC 5 7SA82 (CP150)","SIPROTEC 5 7SA84 (CP200)","SIPROTEC 5 7SA86 (CP200)","SIPROTEC 5 7SA86 (CP300)","SIPROTEC 5 7SA87 (CP200)","SIPROTEC 5 7SA87 (CP300)","SIPROTEC 5 7SD82 (CP100)","SIPROTEC 5 7SD82 (CP150)","SIPROTEC 5 7SD84 (CP200)","SIPROTEC 5 7SD86 (CP200)","SIPROTEC 5 7SD86 (CP300)","SIPROTEC 5 7SD87 (CP200)","SIPROTEC 5 7SD87 (CP300)","SIPROTEC 5 7SJ81 (CP100)","SIPROTEC 5 7SJ81 (CP150)","SIPROTEC 5 7SJ82 (CP100)","SIPROTEC 5 7SJ82 (CP150)","SIPROTEC 5 7SJ85 (CP200)","SIPROTEC 5 7SJ85 (CP300)","SIPROTEC 5 7SJ86 (CP200)","SIPROTEC 5 7SJ86 (CP300)","SIPROTEC 5 7SK82 (CP100)","SIPROTEC 5 7SK82 (CP150)","SIPROTEC 5 7SK85 (CP200)","SIPROTEC 5 7SK85 (CP300)","SIPROTEC 5 7SL82 (CP100)","SIPROTEC 5 7SL82 (CP150)","SIPROTEC 5 7SL86 (CP200)","SIPROTEC 5 7SL86 (CP300)","SIPROTEC 5 7SL87 (CP200)","SIPROTEC 5 7SL87 (CP300)","SIPROTEC 5 7SS85 (CP200)","SIPROTEC 5 7SS85 (CP300)","SIPROTEC 5 7ST85 (CP200)","SIPROTEC 5 7ST85 (CP300)","SIPROTEC 5 7ST86 (CP300)","SIPROTEC 5 7SX82 (CP150)","SIPROTEC 5 7SX85 (CP300)","SIPROTEC 5 7SY82 (CP150)","SIPROTEC 5 7UM85 (CP300)","SIPROTEC 5 7UT82 (CP100)","SIPROTEC 5 7UT82 (CP150)","SIPROTEC 5 7UT85 (CP200)","SIPROTEC 5 7UT85 (CP300)","SIPROTEC 5 7UT86 (CP200)","SIPROTEC 5 7UT86 (CP300)","SIPROTEC 5 7UT87 (CP200)","SIPROTEC 5 7UT87 (CP300)","SIPROTEC 5 7VE85 (CP300)","SIPROTEC 5 7VK87 (CP200)","SIPROTEC 5 7VK87 (CP300)","SIPROTEC 5 7VU85 (CP300)","SIPROTEC 5 Compact 7SX800 (CP050)"],"_cs_severities":["medium"],"_cs_tags":["ics","session hijacking","cve-2024-54017","siemens","critical infrastructure"],"_cs_type":"advisory","_cs_vendors":["Siemens"],"content_html":"\u003cp\u003eMultiple Siemens SIPROTEC 5 devices are affected by a vulnerability (CVE-2024-54017) stemming from the use of insufficiently random numbers in generating session identifiers. This weakness could be exploited by an unauthenticated remote attacker to conduct a brute-force attack against a valid session identifier. Successful exploitation grants the attacker unauthorized read access to limited information from the web server. The affected products include a range of SIPROTEC 5 devices, specifically versions below V11.0 for certain models. Siemens is preparing fixes and recommends countermeasures where fixes are not yet available. This vulnerability impacts critical infrastructure sectors, particularly critical manufacturing, where these devices are deployed worldwide.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable SIPROTEC 5 device exposed on a network.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an initial HTTP request to the device\u0026rsquo;s web server to initiate a session.\u003c/li\u003e\n\u003cli\u003eThe device generates a session identifier based on an insufficiently random number generator.\u003c/li\u003e\n\u003cli\u003eThe attacker begins a brute-force attack, attempting different session identifier values.\u003c/li\u003e\n\u003cli\u003eThe attacker sends subsequent HTTP requests with each guessed session identifier.\u003c/li\u003e\n\u003cli\u003eIf a guessed session identifier matches a valid active session, the device grants the attacker access.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized read access to limited information from the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker may be able to glean sensitive configuration details or operational data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-54017 could allow an unauthenticated attacker to gain unauthorized read access to sensitive information from vulnerable Siemens SIPROTEC 5 devices. The impact is limited to read access, but exposed configuration data or operational parameters could provide valuable information to an attacker for further malicious activity. The vulnerability affects a wide range of SIPROTEC 5 devices deployed globally, particularly in critical manufacturing sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available updates to V11.0 or later versions for affected SIPROTEC 5 devices as provided by Siemens to remediate CVE-2024-54017.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns of requests with different session identifiers, indicative of brute-force attempts targeting CVE-2024-54017. Use the provided Sigma rule to detect these patterns.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and firewalls to restrict access to SIPROTEC 5 devices and minimize network exposure, as mentioned in the CISA advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T15:08:07Z","date_published":"2026-05-14T15:08:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-siemens-siprotec5-session-hijacking/","summary":"Siemens SIPROTEC 5 devices are vulnerable to session hijacking (CVE-2024-54017) due to the use of insufficiently random numbers in session identifier generation, potentially allowing an unauthenticated remote attacker to brute-force a valid session and gain unauthorized read access.","title":"Siemens SIPROTEC 5 Insufficient Session ID Randomness Leads to Session Hijacking (CVE-2024-54017)","url":"https://feed.craftedsignal.io/briefs/2026-05-siemens-siprotec5-session-hijacking/"}],"language":"en","title":"CraftedSignal Threat Feed — SIPROTEC 5 7SA87 (CP200)","version":"https://jsonfeed.org/version/1.1"}