Siemens SCALANCE

Act Now9.8ICS-CERT ICSA-21-287-07Oct 12, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The SCALANCE W1750D contains multiple command injection and buffer overflow vulnerabilities (CWE-352, CWE-120, CWE-77, CWE-22, CWE-311) that allow remote code execution or denial of service without authentication. Affected versions include all versions prior to 8.7.1.3, versions 8.7.1.3 through 8.7.1.8, and version 8.7.1.9 and later (for which no fix is planned). An attacker can inject commands or trigger buffer overflows to execute arbitrary code or crash the device. Siemens recommends upgrading to patched versions where available and implementing network access controls as mitigations.

What this means

What could happen

An attacker with network access to the SCALANCE W1750D could execute arbitrary commands or crash the device, potentially disrupting wireless network connectivity to field devices and control systems. Versions 8.7.1.9 and later have no patch available.

Who's at risk

Water and utility operators using Siemens SCALANCE W1750D wireless access points or controllers for field device communication. This includes facilities managing remote sensors, RTUs, PLCs, or SCADA systems that rely on wireless connectivity through these devices.

How it could be exploited

An attacker on the network sends crafted packets or injects commands through the management interface to trigger command injection or buffer overflow conditions. This bypasses authentication and allows remote code execution or denial of service without requiring credentials.

Prerequisites

Network access to the SCALANCE W1750D device or its management interface
Device must be reachable from the attacker's network segment

Remotely exploitable without authenticationLow attack complexityHigh CVSS score (9.8)No patch available for versions 8.7.1.9+Affects wireless network infrastructure critical to operations

Exploitability

Moderate exploit probability (EPSS 3.6%)

Affected products (3)

2 with fix1 pending

ProductAffected VersionsFix Status

SCALANCE W1750D<V8.7.1.38.7.1.3

SCALANCE W1750D≥ 8.7.1.9No fix yet

SCALANCE W1750D≥ V8.7.1.3 <V8.7.1.98.7.1.9

Remediation & Mitigation

0/7

Do now

0/1

SCALANCE W1750D

WORKAROUNDFor SCALANCE W1750D version 8.7.1.9 and later (no fix available): Block network access to the device management interface (CLI and web-based) from untrusted users and networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SCALANCE W1750D

HOTFIXUpdate SCALANCE W1750D versions <8.7.1.3 to version 8.7.1.3

HOTFIXUpdate SCALANCE W1750D versions 8.7.1.3 to 8.7.1.8 to version 8.7.1.9 or later

Long-term hardening

0/4

HARDENINGRestrict communication between controllers/gateways and access points to a dedicated VLAN or Layer 2 segment, or use firewall policies to limit authorized device communication

HARDENINGEnable Enhanced PAPI Security feature where available to prevent exploitation

HARDENINGConfigure access control lists (ACLs) to restrict unauthorized access to RAPConsole or Local Debug interfaces

HARDENINGEnsure the device operates in a protected IT environment behind a firewall, isolated from the business network and the Internet

CVEs (15)

CVE-2019-5318 CVE-2021-37716 CVE-2021-37717 CVE-2021-37718 CVE-2021-37719 CVE-2021-37720 CVE-2021-37721 CVE-2021-37722 CVE-2021-37723 CVE-2021-37724 CVE-2021-37725 CVE-2021-37728 CVE-2021-37729 CVE-2021-37731 CVE-2021-37733

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/633bc257-fdd3-4ba8-8f6f-c3bd5cc508be