Weidmueller Industrial Ethernet Switches

Act Now9.8ICS-CERT ICSA-19-339-02Dec 5, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Weidmueller industrial Ethernet switches IE-SW-PL and IE-SW-VL series contain multiple vulnerabilities in the web interface and search service that allow remote attackers to gain unauthorized access without credentials. The vulnerabilities stem from insufficient encryption (CWE-311), weak or missing authentication (CWE-307, CWE-256), and lack of rate limiting (CWE-400). Successful exploitation grants an attacker the ability to read switch configuration, intercept unencrypted management traffic, modify device settings, or discover other devices on the network via the search service. The web interface accepts HTTP connections by default and the search service operates unencrypted on UDP, exposing management credentials and network topology information to any user on the network segment.

What this means

What could happen

An attacker on the network can gain unauthorized access to these industrial Ethernet switches without credentials, potentially allowing them to intercept network traffic, modify device configurations, or disrupt communication between factory equipment and control systems.

Who's at risk

Manufacturing facilities using Weidmueller IE-SW industrial Ethernet switches (PL and VL series) for plant network connectivity. This includes any switch connecting factory floor equipment, PLCs, HMIs, or sensors to the control network. Affects users of 40+ switch models across multiple hardware configurations.

How it could be exploited

An attacker sends a request to the web interface or unencrypted search service on an affected switch. The switch accepts the connection without requiring authentication and allows the attacker to access configuration functions, change settings, or capture sensitive data from the network segment the switch connects to.

Prerequisites

Network access to the switch's web interface (port 80) or search service (UDP port 32768)
No valid credentials required
Switch must be reachable from the attacker's network segment

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for most models as of advisory dateAffects network backbone equipment critical to operationsUnencrypted communication by default

Exploitability

Moderate exploit probability (EPSS 1.0%)

Affected products (40)

40 pending

ProductAffected VersionsFix Status

IE-SW-PL18M-2GC14TX2ST firmware: v3.4.4 Build 16102416 and prior≤ 3.4.4 Build 16102416No fix yet

IE-SW-VL08MT-5TX-1SC-2SCS firmware: v3.5.2 Build 16102415 and prior≤ 3.5.2 Build 16102415No fix yet

IE-SW-PL18MT-2GC-16TX firmware: v3.4.4 Build 16102416 and prior≤ 3.4.4 Build 16102416No fix yet

IE-SW-PL08MT-6TX-2SCS firmware: v3.3.8 Build 16102416 and prior≤ 3.3.8 Build 16102416No fix yet

IE-SW-VL08MT-8TX firmware: v3.5.2 Build 16102415 and prior≤ 3.5.2 Build 16102415No fix yet

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable the unencrypted search service via WM Switch Utility or web interface (Main Menu > Basic Settings > Security > Management Interface: uncheck 'Enable Search Service')

WORKAROUNDConfigure web interface to 'https only' via Main Menu > Basic Settings > System: Set 'Web Configuration' to 'https only'

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to patched versions: IE-SW-VL05M series to v3.6.24 Build 19062809 or later, IE-SW-VL08MT series to v3.5.22 Build 19062810 or later, IE-SW-PL08M/PL08MT series to v3.3.16 Build 19062811 or later, IE-SW-PL10M/PL10MT series to v3.3.24 Build 19062813 or later, IE-SW-PL16M/PL16MT series to v3.4.18 Build 19062814 or later, IE-SW-PL18M/PL18MT series to v3.4.24 Build 19062815 or later, IE-SW-PL09M series to v3.3.16 Build 19062816 or later

Long-term hardening

0/1

HARDENINGNetwork segment the switches or place them behind a firewall that blocks inbound access to ports 80 and 32768 from untrusted networks

CVEs (5)

CVE-2019-16670 CVE-2019-16671 CVE-2019-16672 CVE-2019-16673 CVE-2019-16674

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dfbf409f-202f-4ae0-ae07-16a3966cf52e