CVE-2024-54015
Published: 11 February 2025
Summary
CVE-2024-54015 is a high-severity Use of Default Credentials (CWE-1392) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-54015 is a vulnerability in multiple Siemens SIPROTEC 5 protection relays and communication modules, including models such as 6MD84 (CP300 all versions < V9.90), 6MD85/6MD86/6MD89/6MU85 (CP300 versions >= V8.80 < V9.90), 7KE85 (CP300 >= V8.80 < V10.0), 7SA82/7SD82/7SJ81/7SJ82/7SK82/7SL82/7SX82/7SY82/7UT82 (CP150 all < V9.90), various 7SA/7SD/7SJ/7SK/7SL/7SS/7ST/7SX/7SY/7UM/7UT/7VE/7VK/7VU85 (CP300 >= V8.80 < V9.90 or specific subranges), 7ST85/7ST86 (CP300 < V10.0 with subranges), SIPROTEC 5 Compact 7SX800 (CP050 >= V9.50 < V9.90), and communication modules like ETH-BA-2EL/ETH-BB-2FO/ETH-BD-2FO (all versions < V9.90 or subranges). The issue stems from improper validation of SNMP GET requests, enabling disclosure of sensitive information.
An unauthenticated remote attacker can exploit this vulnerability over the network by sending SNMPv2 GET requests using default credentials, achieving high-impact confidentiality loss (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) without requiring privileges, user interaction, or scope changes. Successful exploitation allows retrieval of sensitive device information, potentially aiding further attacks on industrial control systems.
Siemens Security Advisory SSA-767615 at https://cert-portal.siemens.com/productcert/html/ssa-767615.html provides details on mitigation, including recommended firmware updates to patched versions such as V9.90 or higher where specified. Security practitioners should review the advisory for affected version mappings and upgrade instructions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52243
Vulnerability details
A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V9.90), SIPROTEC 5 6MD85 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 6MD86 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 6MD89 (CP300) (All versions…
more
>= V8.80 < V9.90), SIPROTEC 5 6MD89 (CP300) V9.6x (All versions < V9.68), SIPROTEC 5 6MU85 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7KE85 (CP300) (All versions >= V8.80 < V10.0), SIPROTEC 5 7SA82 (CP150) (All versions < V9.90), SIPROTEC 5 7SA86 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7SA87 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7SD82 (CP150) (All versions < V9.90), SIPROTEC 5 7SD86 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7SD87 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7SJ81 (CP150) (All versions < V9.90), SIPROTEC 5 7SJ82 (CP150) (All versions < V9.90), SIPROTEC 5 7SJ85 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7SJ86 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7SK82 (CP150) (All versions < V9.90), SIPROTEC 5 7SK85 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7SL82 (CP150) (All versions < V9.90), SIPROTEC 5 7SL86 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7SL87 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7SS85 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7ST85 (CP300) (All versions >= V8.80 < V10.0), SIPROTEC 5 7ST85 (CP300) V9.6x (All versions < V9.68), SIPROTEC 5 7ST86 (CP300) (All versions < V10.0), SIPROTEC 5 7ST86 (CP300) V9.8x (All versions < V9.83), SIPROTEC 5 7SX82 (CP150) (All versions < V9.90), SIPROTEC 5 7SX85 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7SY82 (CP150) (All versions < V9.90), SIPROTEC 5 7UM85 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7UT82 (CP150) (All versions < V9.90), SIPROTEC 5 7UT85 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7UT86 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7UT87 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7VE85 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7VK87 (CP300) (All versions >= V8.80 < V9.90), SIPROTEC 5 7VU85 (CP300) (All versions < V9.90), SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.2) (All versions < V9.90), SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.2) V9.6 (All versions < V9.68), SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.2) V9.8 (All versions < V9.83), SIPROTEC 5 Communication Module ETH-BB-2FO (Rev. 2) (All versions < V9.90), SIPROTEC 5 Communication Module ETH-BB-2FO (Rev. 2) V9.6 (All versions < V9.68), SIPROTEC 5 Communication Module ETH-BB-2FO (Rev. 2) V9.8 (All versions < V9.83), SIPROTEC 5 Communication Module ETH-BD-2FO (All versions >= V8.80 < V9.90), SIPROTEC 5 Communication Module ETH-BD-2FO V9.6 (All versions < V9.68), SIPROTEC 5 Communication Module ETH-BD-2FO V9.8 (All versions < V9.83), SIPROTEC 5 Compact 7SX800 (CP050) (All versions >= V9.50 < V9.90). Affected devices do not properly validate SNMP GET requests. This could allow an unauthenticated, remote attacker to retrieve sensitive information of the affected devices with SNMPv2 GET requests using default credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables unauth remote SNMP GET on public-facing ICS device for sensitive info/config disclosure, directly mapping to public app exploitation and SNMP MIB/config data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the improper SNMP GET request validation flaw through firmware updates to patched versions as recommended in Siemens advisory.
Requires implementation of input validation mechanisms at network interfaces to properly validate SNMP GET requests and prevent sensitive information disclosure.
Enforces boundary protections such as firewalls or network segmentation to block unauthorized remote network access to the vulnerable SNMP service.