Siemens SCALANCE W1750D (Update B)

Act NowCVSS 9.8ICS-CERT ICSA-21-131-14May 11, 2021

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SCALANCE W1750D contains multiple input validation and buffer overflow vulnerabilities (CWE-287, CWE-120, CWE-77, CWE-20, CWE-362, CWE-79, CWE-80, CWE-400) in the Aruba Instant command interface and web management components. Affected versions: all versions prior to 8.7.0, and versions 8.7.0 through 8.7.1.2. The vulnerabilities allow unauthenticated remote attackers to inject commands or overflow buffers via the CLI, web interface, or port 8211/UDP, potentially leading to code execution. Siemens has released firmware 8.7.1.3 to correct these issues.

What this means

What could happen

An attacker with network access to the SCALANCE W1750D could inject commands or trigger buffer overflows, potentially allowing them to run arbitrary code on the wireless access point and disrupt network connectivity for plant communications, HMI access, or remote monitoring.

Who's at risk

Water utilities and electrical utilities that use Siemens SCALANCE W1750D wireless access points for plant network connectivity, remote monitoring, or HMI communications should prioritize this update. The device is commonly deployed as a network edge point in ICS/SCADA environments.

How it could be exploited

An attacker on the network sends a malformed request to the Aruba Instant Command Line Interface, Web Management Interface, or port 8211/UDP on the W1750D. The device fails to properly validate input, allowing command injection or buffer overflow, which results in code execution on the device.

Prerequisites

Network access to SCALANCE W1750D management interfaces (port 8211/UDP, CLI, or web interface)
No authentication required for exploitation
Device running firmware prior to version 8.7.0 or versions 8.7.0 through 8.7.1.2

remotely exploitableno authentication requiredlow complexityhigh EPSS score (40.3%)affects network infrastructure critical to plant operations

Exploitability

Likely to be exploited — EPSS score 35.9%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SCALANCE W1750D<V8.7.08.7.0

SCALANCE W1750D≥ V8.7.0 and <V8.7.1.38.7.1.3

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDBlock network access to port 8211/UDP on the W1750D from untrusted users and networks

WORKAROUNDBlock access to the Aruba Instant Command Line Interface from untrusted users

WORKAROUNDBlock access to the Web Management Interface from untrusted users

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SCALANCE W1750D

HOTFIXUpgrade SCALANCE W1750D firmware to version 8.7.1.3 or later

Long-term hardening

0/2

HARDENINGLocate the W1750D behind a firewall and isolate from business network segments

HARDENINGMinimize direct network exposure of the wireless access point; ensure it is not accessible from the Internet

CVEs (21)

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/de9dda54-8d4e-453d-8cd9-3b76a5ecf41e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.