Siemens SCALANCE X Switches (Update A)

Monitor5.8ICS-CERT ICSA-18-163-02Jun 12, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Cross-site scripting (XSS) vulnerabilities exist in the web server of SCALANCE X switches. An attacker could inject malicious scripts that execute when an administrator accesses the switch web interface, potentially leading to credential theft or unauthorized configuration changes. Affected switch families include X-200, X-200IRT, X-200RNA, and X-300 (including SIPLUS NET variants and X-408 models) running firmware versions prior to the fixed versions listed. Siemens recommends updating to patched firmware and protecting network access to the web management interface.

What this means

What could happen

An attacker could inject malicious scripts into the web interface of SCALANCE X switches, potentially tricking an authorized user into stealing their credentials or disrupting access to the switch management interface during critical operational tasks.

Who's at risk

Network operations staff and automation engineers managing SCALANCE X switches in water utilities, municipal electric distribution, and wastewater treatment facilities. Specifically affects X-200, X-200IRT, X-200RNA, X-300, and X-408 switch variants used for industrial networking in process automation and SCADA environments.

How it could be exploited

An attacker crafts a malicious URL or embeds JavaScript in a web page that, when visited by an authenticated administrator, executes in the context of the switch web interface. The attacker can then steal session tokens, capture credentials entered into the interface, or perform unauthorized configuration changes on the switch.

Prerequisites

Network access to the switch web interface (TCP port 80 or 443)
A valid administrator must be tricked into clicking a malicious link or visiting a compromised page while authenticated to the switch
The switch firmware must be running a vulnerable version

Remotely exploitable via web interfaceRequires user interaction (social engineering via phishing/malicious links)Affects device management interface, not industrial protocol operationLow public exploit availabilityPatch available from vendor

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)<V5.4.15.4.1

SCALANCE X-200RNA switch family<V3.2.73.2.7

SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)<V4.1.34.1.3

SCALANCE X-200 switch family (incl. SIPLUS NET variants)<V5.2.35.2.3

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDRestrict network access to the switch web interface using firewall rules or access control lists; limit access to authorized engineering workstations only

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE X-200 switches to firmware v5.2.3 or later

HOTFIXUpdate SCALANCE X-200 IRT switches to firmware v5.4.1 or later

HOTFIXUpdate SCALANCE X-300 switches (including X-408 variants) to firmware v4.1.3 or later

HOTFIXUpdate SCALANCE X-200RNA switches to firmware v3.2.7 or later

Long-term hardening

0/2

HARDENINGDisable remote web management on switches unless absolutely required for operations

HARDENINGSegment switches onto a restricted engineering network separate from general IT infrastructure

CVEs (2)

CVE-2018-4842 CVE-2018-4848

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9b083a9f-ee5e-49bf-8036-c03a303a08ff