Siemens SCALANCE W1750D

Act Now9.8ICS-CERT ICSA-21-315-06Nov 9, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Scalance W1750D wireless access point contains multiple vulnerabilities (CWE-119 buffer overflow, CWE-77 command injection, CWE-22 path traversal, CWE-400 denial of service) that allow unauthenticated remote attackers to execute arbitrary code, read arbitrary files, or cause denial of service. The device is vulnerable in firmware versions before 8.7.1.9. No known public exploits currently exist.

What this means

What could happen

An attacker on the network could execute arbitrary code on the wireless access point, read sensitive files, or disable the device completely, disrupting network connectivity for your facility's wireless infrastructure.

Who's at risk

Wireless network operators and facilities managers responsible for Siemens Scalance W1750D wireless access points used in industrial networks, including water utilities, electrical substations, and manufacturing facilities that rely on these devices for control system connectivity.

How it could be exploited

An attacker without credentials can send specially crafted network requests to the Scalance W1750D via its web management interface or command line interface (ports 80/443 and 8211 UDP). This could trigger buffer overflows or command injection to run code on the device or access configuration files.

Prerequisites

Network access to the Scalance W1750D management interfaces on HTTP/HTTPS (ports 80/443) or UDP port 8211
No authentication required
Device running firmware version before 8.7.1.9

Remotely exploitableNo authentication requiredLow complexityHigh CVSS score (9.8)Allows remote code execution on network deviceAffects network connectivity for control systems

Exploitability

Moderate exploit probability (EPSS 2.7%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SCALANCE W1750D<V8.7.1.38.7.1.3

SCALANCE W1750D≥ V8.7.1.3 <V8.7.1.98.7.1.9

Remediation & Mitigation

0/6

Do now

0/3

SCALANCE W1750D

WORKAROUNDBlock inbound access to the Scalance W1750D web management interface (ports 80/443) from untrusted network segments using firewall rules

WORKAROUNDBlock inbound access to UDP port 8211 on the Scalance W1750D from untrusted network segments using firewall rules

All products

WORKAROUNDBlock access to the Aruba Instant Command Line Interface from all untrusted users

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SCALANCE W1750D

HOTFIXUpdate SCALANCE W1750D firmware to version 8.7.1.9 or later

HARDENINGEnable Enhanced PAPI Security feature on the Scalance W1750D if available

Long-term hardening

0/1

HARDENINGIsolate your wireless network infrastructure (including Scalance devices) from the business network with a firewall, and ensure wireless access points are not accessible from the Internet

CVEs (6)

CVE-2021-37726 CVE-2021-37727 CVE-2021-37730 CVE-2021-37732 CVE-2021-37734 CVE-2021-37735

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/51385a84-5d93-44e6-86e7-e4f7787d08e8