For defenders managing Operational Technology (OT) and critical infrastructure, the integrity of protection relays is non-negotiable. CISA recently released advisory ICSA-26-174-02 detailing a critical vulnerability in Siemens SIPROTEC 5 devices. This flaw allows authenticated attackers to leverage the DIGSI 5 protocol to upload arbitrary files.
The consequences are severe: an attacker can inject malicious configuration files, leading to a Permanent Denial of Service (PDoS). In an electrical grid context, disabling protection relays can destabilize power delivery and damage physical assets. While the attack requires authentication, the prevalence of shared credentials in OT environments and the high value of these targets make immediate remediation essential.
Technical Analysis
Vulnerability: Arbitrary File Upload via DIGSI 5 Protocol Affected Component: SIPROTEC 5 Firmware (DIGSI 5 communication interface) Advisory ID: ICSA-26-174-02
Affected Products and Versions
This vulnerability impacts specific Siemens SIPROTEC 5 device lines:
- CP050 and CP150: All versions prior to 9.90.
- CP300 (Devices 7ST85 and 7ST86): All versions prior to 10.00.
- CP300 (Remaining Models): All versions prior to 9.90.
Vulnerability Mechanics
The DIGSI 5 protocol, used for engineering and configuration access, lacks a file-validation allow-list in older firmware versions. An authenticated user with access to the protocol can upload files that are not strictly configuration data. By uploading a malicious or malformed configuration file, an attacker can corrupt the device's operational state. Unlike a standard reboot cycle, this corruption results in a permanent fault state requiring manual intervention or firmware re-flashing to restore functionality—a classic PDoS scenario.
Exploitation Status
Siemens has confirmed that successful exploitation requires authentication. However, given the prevalence of lateral movement techniques in ICS environments (e.g., harvesting credentials from engineering workstations), the barrier to entry is lower than unauthenticated remote code execution. Siemens has released updates that implement an allow-list feature, strictly restricting file uploads to valid configuration types.
Detection & Response
Detecting this specific protocol-level manipulation requires visibility into the Engineering Workstations used to manage these relays and the network traffic traversing the OT network. Standard EDR on the relay itself is unlikely, so we focus the hunt on the jump hosts and engineering terminals.
SIGMA Rules
The following rules target suspicious behavior on Windows-based Engineering Workstations running the DIGSI software. They look for the process executing file operations or establishing network connections to the OT zone.
---
title: Potential Malicious File Upload via DIGSI Engineering Software
id: 8f1d2c3e-4b5a-6789-0123-456789abcdef
status: experimental
description: Detects the DIGSI 5 engineering process performing potential file upload operations via command-line arguments often used for configuration deployment.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-174-02
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1078
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '\DIGSI 5\'
- '\DIGSI.exe'
CommandLine|contains:
- '/upload'
- '-transfer'
- '-load'
condition: selection
falsepositives:
- Legitimate configuration backups by authorized engineers
level: medium
---
title: DIGSI Process Network Connection to OT Subnet
id: 9a2e3f4g-5h6i-7890-1234-567890abcdef
status: experimental
description: Detects network connections initiated by DIGSI 5 software to non-standard ports or subnets, indicating potential misuse of the management protocol.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-174-02
author: Security Arsenal
date: 2026/04/06
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection:
Image|contains:
- 'DIGSI'
DestinationPort|startswith:
- 102
- 2404
- 50000
condition: selection
falsepositives:
- Routine maintenance connections to known SIPROTEC devices
level: low
KQL (Microsoft Sentinel)
Use this query to hunt for engineering processes connecting to your defined OT asset IP ranges. This helps identify if a compromised engineering station is being used to attack relays.
let OT_IP_Ranges = dynamic(["192.168.10.0/24", "10.50.20.0/24"]); // Update with your OT subnets
DeviceNetworkEvents
| where InitiatingProcessName contains "DIGSI"
| where ipv4_is_in_range(RemoteIP, OT_IP_Ranges)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, InitiatingProcessCommandLine
| order by Timestamp desc
Velociraptor VQL
This artifact hunts for the presence of the DIGSI software and checks for recent file modifications in the configuration directories, which might indicate unauthorized file uploads.
-- Hunt for DIGSI 5 installation and recent config file modifications
SELECT
OSPath,
Mtime,
Size,
Mode
FROM glob(globs="C:/Program Files*/**/DIGSI*.exe")
SELECT
FullPath,
Mtime,
Size,
Mode
FROM glob(globs="C:/Users/*/Documents/DIGSI/**/*.cfg")
WHERE Mtime > now() - 7h
Remediation Script (PowerShell)
Important: Do not use this script to push firmware to protection relays automatically. The script below is an Audit Tool. It checks your inventory CSV against the patched versions required by Siemens (CP050/CP150 -> 9.90, CP300 7ST85/86 -> 10.00). Run this to identify assets that need manual patching.
# Audit Script for Siemens SIPROTEC 5 Compliance (ICSA-26-174-02)
# Input: A CSV with 'AssetID', 'Model', 'FirmwareVersion'
param(
[string]$InventoryPath = ".\Siprotec_Inventory.csv"
)
$Inventory = Import-Csv -Path $InventoryPath
Write-Host "Starting Compliance Audit for SIPROTEC 5 Devices..." -ForegroundColor Cyan
foreach ($Device in $Inventory) {
$Status = "Compliant"
$RequiredVersion = "N/A"
$Model = $Device.Model.Trim()
$CurrentVersion = [version]$Device.FirmwareVersion.Trim()
# Logic based on ICSA-26-174-02 requirements
if ($Model -eq "CP050" -or $Model -eq "CP150") {
$RequiredVersion = "9.90"
if ($CurrentVersion -lt [version]"9.90") { $Status = "NON-COMPLIANT" }
}
elseif ($Model -eq "CP300") {
# Assuming the CSV has a column 'SubModel' or specific ID, otherwise generic check
# If device is 7ST85 or 7ST86, requires 10.00, else 9.90
if ($Device.AssetID -match "7ST85" -or $Device.AssetID -match "7ST86") {
$RequiredVersion = "10.00"
if ($CurrentVersion -lt [version]"10.00") { $Status = "NON-COMPLIANT" }
}
else {
$RequiredVersion = "9.90"
if ($CurrentVersion -lt [version]"9.90") { $Status = "NON-COMPLIANT" }
}
}
if ($Status -eq "NON-COMPLIANT") {
Write-Host "[ALERT] $($Device.AssetID) ($Model): Current $CurrentVersion - Required $RequiredVersion" -ForegroundColor Red
}
else {
Write-Host "[OK] $($Device.AssetID) ($Model): Current $CurrentVersion" -ForegroundColor Green
}
}
Remediation
-
Patch Immediately: Apply the firmware updates provided by Siemens.
- CP050 & CP150: Upgrade to Version 9.90 or later.
- CP300 (7ST85 & 7ST86): Upgrade to Version 10.00 or later.
- CP300 (All others): Upgrade to Version 9.90 or later.
-
Implement Allow-Listing: Ensure the updated firmware's allow-list feature is active to restrict file uploads to valid configuration extensions.
-
Network Segmentation: Limit access to the DIGSI 5 protocol (typically TCP 102, 2404, or ports 50000+) strictly to designated Engineering Workstations. Block this traffic from all other network segments.
-
Credential Hygiene: Rotate passwords for all local and remote accounts with access to SIPROTEC 5 devices, assuming potential credential theft from compromised engineering stations.
For devices where fixes are not yet available, Siemens recommends restricting operational access to the DIGSI protocol and using VPNs with strict access controls.
Official Advisory: CISA ICSA-26-174-02
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.