The vulnerability is caused by Siemens SIPROTEC 5 devices generating session identifiers that are not sufficiently random. An attacker who can reach the device’s web interface can attempt a brute‑force attack against these identifiers and obtain read‑only information from the web server without any authentication. The CVSS score of 6.9 reflects moderate severity because the impact is limited to data disclosure and the attack requires only network access to the web port.

Siemens SIPROTEC 5 devices across many models including 6MD84 CP300, 6MD85 CP200/CP300, 6MD86 CP200/CP300, 6MD89 CP300, 6MU85 CP300, 7KE85 CP200/CP300, 7SA82 CP100/CP150, 7SA84 CP200, 7SA86 CP200/CP300, 7SA87 CP200/CP300, 7SD82 CP100/CP150, 7SD84 CP200, 7SD86 CP200/CP300, 7SD87 CP200/CP300, 7SJ81 CP100/CP150, 7SJ82 CP100/CP150, 7SJ85 CP200/CP300, 7SJ86 CP200/CP300, 7SK82 CP100/CP150, 7SK85 CP200/CP300, 7SL82 CP100/CP150, 7SL86 CP200/CP300, 7SL87 CP200/CP300, 7SS85 CP200/CP300, 7ST85 CP200/CP300, 7ST86 CP300, 7SX82 CP150, 7SX85 CP300, 7SY82 CP150, 7UM85 CP300, 7UT82 CP100/CP150, 7UT85 CP200/CP300, 7UT86 CP200/CP300, 7UT87 CP200/CP300, 7VE85 CP300, 7VK87 CP200/CP300, 7VU85 CP300 and Compact 7SX800 CP050. The affected firmware ranges are specified in the CVE description: some models are impacted for all firmware below version 11.0, others for firmware between version 7.80 and below 11.0 depending on the model.

Because the web interface is exposed to network traffic, an unauthenticated attacker can launch a brute‑force session‑ID attack over HTTP or HTTPS. The lack of cryptographically secure randomness makes success feasible with enough attempts, yielding read‑only data. The EPSS score is not provided, and the vulnerability is not listed in CISA KEV, implying that exploitation activity is not well documented yet but still represents a valid risk for exposed devices. The CVSS score of 6.9 indicates a moderate severity.