Siemens SCALANCE and RUGGEDCOM Devices (Update A)
Plan Patch8.8ICS-CERT ICSA-21-068-03Mar 9, 2021
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the passive listening feature of Siemens SCALANCE and RUGGEDCOM industrial network switches could allow an attacker to cause a device reboot or, under specific circumstances, achieve remote code execution. The vulnerability affects multiple firmware versions across the product lines. Siemens has released firmware updates for all affected products.
What this means
What could happen
An attacker with network access to the device could restart a critical network switch, interrupting communications to field devices and PLCs, or potentially run arbitrary code to manipulate network traffic or alter device configuration. This could disrupt process visibility, cause loss of control over remote assets, or enable further lateral movement into the control system network.
Who's at risk
This vulnerability affects industrial network infrastructure across water utilities, power distribution, and manufacturing facilities that use Siemens SCALANCE or RUGGEDCOM switches. These switches are critical to connecting PLCs, RTUs, and other field devices. Any organization running the affected firmware versions should prioritize assessment and patching of their network backbone devices.
How it could be exploited
An attacker on the same network segment as the affected switch exploits a flaw in the STP (Spanning Tree Protocol) passive listening feature by sending specially crafted packets. The malformed packets trigger a reboot (denial of service) or, under specific network conditions, allow code execution on the switch. No authentication is required, and the attack does not require direct console access.
Prerequisites
- Network access to the affected device (attacker must be reachable on the same network segment)
- STP passive listening feature must be enabled (default configuration)
- No authentication credentials required
remotely exploitableno authentication requiredlow complexity attackhigh CVSS score (8.8)affects network infrastructure critical to OT operationspassive listening is enabled by default
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (11)
11 with fix
ProductAffected VersionsFix Status
RUGGEDCOM RM1224≥ V4.3 and <V6.46.4
SCALANCE M-800≥ V4.3 and <V6.46.4
SCALANCE S615≥ V4.3 and <V6.46.4
SCALANCE SC-600 Family≥ V2.0 and <V2.1.32.1.3
SCALANCE XB-200<V4.14.1
SCALANCE XC-200<V4.14.1
SCALANCE XF-200BA<V4.14.1
SCALANCE XM400<V6.26.2
Remediation & Mitigation
0/14
Do now
0/1WORKAROUNDDisable STP passive listening feature on all affected devices if updates cannot be applied immediately
Schedule — requires maintenance window
0/11Patching may require device reboot — plan for process interruption
SCALANCE SC-600 Family
HOTFIXUpdate SCALANCE SC-600 Family to version 2.1.3 or later
SCALANCE XB-200
HOTFIXUpdate SCALANCE XB-200 to version 4.1 or later
SCALANCE XC-200
HOTFIXUpdate SCALANCE XC-200 to version 4.1 or later
SCALANCE XF-200BA
HOTFIXUpdate SCALANCE XF-200BA to version 4.1 or later
SCALANCE XP-200
HOTFIXUpdate SCALANCE XP-200 to version 4.1 or later
SCALANCE XR-300WG
HOTFIXUpdate SCALANCE XR-300WG to version 4.1 or later
SCALANCE XM400
HOTFIXUpdate SCALANCE XM400 to version 6.2 or later
SCALANCE XR500
HOTFIXUpdate SCALANCE XR500 to version 6.2 or later
RUGGEDCOM RM1224
HOTFIXUpdate RUGGEDCOM RM1224 to version 6.4 or later
SCALANCE M-800
HOTFIXUpdate SCALANCE M-800 to version 6.4 or later
SCALANCE S615
HOTFIXUpdate SCALANCE S615 to version 6.4 or later
Long-term hardening
0/2HARDENINGIsolate network switches from the internet and restrict access from untrusted network segments
HARDENINGPlace control system network behind firewalls and segment from business network
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e426b1cb-db49-450c-9d78-a051f5bb3746