Critical ICS Vulnerabilities in Siemens SICAM P850/P855 Devices Impact Energy Sector
Executive Summary
In November 2025, Siemens disclosed vulnerabilities affecting their SICAM P850 and P855 industrial control device families. Specifically, these products were susceptible to a Cross-Site Request Forgery (CSRF) flaw and incorrect permission assignment for critical resources, allowing attackers to execute unauthorized actions or impersonate users. The weaknesses impacted devices globally deployed in energy-critical infrastructure, with the main risk being attackers exploiting web sessions to modify device configuration or gain prolonged unauthorized access. Siemens ProductCERT identified the issues, which could be exploited remotely with low attack complexity, scoring up to 5.5 CVSS.
This incident highlights growing concerns over ICS (Industrial Control Systems) vulnerabilities due to their essential role in critical infrastructure and the rising sophistication of exploitation tactics targeting web interfaces. The disclosure underscores the need for proactive patch management and access restrictions amid evolving regulatory and threat environments.
Why This Matters Now
Industrial control systems remain prime targets for cyber attackers as digital transformation expands their connectivity and attack surfaces. Immediate attention is warranted because successful exploitation can compromise energy sector reliability and safety, while increased regulatory scrutiny pushes asset owners to reduce vulnerabilities and patch gaps before threat actors capitalize.
Attack Path Analysis
The attacker initiates the attack by tricking an authenticated user into executing unauthorized requests on the Siemens SICAM web interface (CSRF), and may further exploit improperly protected session cookies to elevate privileges and impersonate users. With unauthorized access, the attacker could pivot within the ICS network, seeking adjacent systems via east-west movement. The attacker might establish command and control through covert traffic or persistent connections. Data exfiltration is possible if outbound controls are absent, and the final impact may include device manipulation or service disruption, threatening energy operations.
Kill Chain Progression
Initial Compromise
Description
An attacker lures an authenticated user to a malicious site that issues cross-site requests to the Siemens device, leveraging CSRF vulnerability for initial access.
Related CVEs
CVE-2023-30901
CVSS 4.3The web interface of SICAM P850 and P855 devices is vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing an attacker to perform arbitrary actions on the device on behalf of a legitimate user.
Affected Products:
Siemens SICAM P850 – < 3.11
Siemens SICAM P855 – < 3.11
Exploit Status:
no public exploitCVE-2023-31238
CVSS 5.5SICAM P850 and P855 devices are missing cookie protection flags, allowing an attacker who gains access to a session token to impersonate a legitimate application user.
Affected Products:
Siemens SICAM P850 – < 3.11
Siemens SICAM P855 – < 3.11
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Use Alternate Authentication Material: Pass the Cookie
Browser Session Hijacking
Exploitation for Credential Access
Steal Web Session Cookie
Cross Site Request Forgery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 Rev. 5 – Least Privilege
Control ID: AC-6
PCI DSS v4.0 – Authentication and Session Management
Control ID: 8.2.2
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Active Session Verification
Control ID: Identity Pillar – Session Management
NIS2 Directive – Access Control and Asset Management
Control ID: Art. 21(2)(d)
NYDFS 23 NYCRR 500 – Cybersecurity Policy and Access Privileges
Control ID: 500.03, 500.07
DORA (Regulation (EU) 2022/2554) – ICT Risk Management Framework
Control ID: Art. 9
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical exposure through SICAM P850/P855 power automation systems vulnerable to CSRF and permission bypass attacks enabling unauthorized device control and operational disruption.
Oil/Energy/Solar/Greentech
High risk from industrial control system vulnerabilities in energy infrastructure allowing attackers to impersonate users and perform arbitrary actions on critical devices.
Industrial Automation
Significant threat from Siemens SICAM device vulnerabilities enabling cross-site request forgery attacks and session token exploitation in automated industrial control environments.
Electrical/Electronic Manufacturing
Manufacturing operations at risk from ICS vulnerabilities allowing remote exploitation through web interface attacks and inadequate session protection in control systems.
Sources
- Siemens SICAM P850 family and SICAM P855 familyhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-317-11Verified
- SSA-201498: Multiple Vulnerabilities in the Web Server of SICAM P850 and SICAM P855 Devices Before V3.11https://cert-portal.siemens.com/productcert/html/ssa-201498.htmlVerified
- CVE-2023-30901 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2023-30901Verified
- CVE-2023-31238 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2023-31238Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, microsegmentation, encrypted transport, egress controls, and comprehensive threat detection would have limited attacker movement, blocked credential replay, and detected or disrupted multiple kill chain stages before process impact.
Control: Zero Trust Segmentation
Mitigation: Limits access to the device interface to only explicitly authorized users and zones.
Control: Threat Detection & Anomaly Response
Mitigation: Alerts on unusual credential/session usage or suspicious privilege escalation attempts.
Control: East-West Traffic Security
Mitigation: Prevents unauthorized workload-to-workload communications or lateral movement attempts.
Control: Cloud Firewall (ACF)
Mitigation: Blocks unauthorized outbound C2 protocols and unknown external destinations.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents or detects unauthorized data exfiltration to untrusted external addresses.
Detects or blocks unauthorized, abnormal, or destructive actions in real time.
Impact at a Glance
Affected Business Functions
- Energy Monitoring
- Power Quality Analysis
Estimated downtime: 2 days
Estimated loss: $50,000
Potential exposure of session tokens leading to unauthorized access to device configurations and operational data.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation to strictly limit management interface exposure to only trusted users and IPs.
- • Implement egress policy controls and outbound filtering to monitor and restrict device communications or data leakage.
- • Enable threat detection and baseline analytics to quickly identify anomalous logins, session abuse, or privilege escalation.
- • Apply microsegmentation and east-west traffic controls to reduce the attacker's ability to pivot across the environment.
- • Ensure continuous inline policy enforcement and real-time inspection for rapid detection of unauthorized or destructive device actions.
