Siemens SCALANCE X-300 Switches

Plan Patch9.6ICS-CERT ICSA-22-104-09Apr 12, 2022

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in SCALANCE X-300 switches allow an unauthenticated attacker on the adjacent network segment to cause denial of service through device reboot or to potentially achieve remote code execution via heap and buffer overflow vulnerabilities. The vulnerabilities are accessible through SSH (port 22), SNMP (port 161), and HTTPS (port 443). Affected firmware versions are below 4.1.4 across dozens of switch models used in industrial control networks.

What this means

What could happen

An attacker could reboot SCALANCE X-300 switches or cause denial of service, potentially disrupting network communication between PLCs, remote terminals, and control systems at water or electric utilities. Heap and buffer overflow vulnerabilities could allow remote code execution, letting an attacker modify switch configurations or disrupt critical infrastructure connectivity.

Who's at risk

Water and electric utilities with SCALANCE X-300 series industrial network switches are affected. This includes X302, X304, X306, X307, X308, X310, X320, X408, and XR324 variants used to connect PLCs, remote terminal units, distributed I/O, and SCADA master stations. Any facility using these switches for process control network connectivity should assess their inventory.

How it could be exploited

An attacker on the network segment where the switch resides could send crafted packets to ports 22, 161, or 443 without authentication to trigger buffer overflow or heap corruption conditions. This could reboot the device or allow code execution depending on the specific vulnerability. The CVSS vector (AV:A) indicates the attack is limited to adjacent network segments, but a compromised device or workstation on the same network could deliver the attack.

Prerequisites

Network access to the SCALANCE switch on ports 22/TCP (SSH), 161/UDP (SNMP), or 443/TCP (HTTPS)
Switch running firmware version 4.1.3 or earlier
No authentication required to trigger the vulnerabilities

remotely exploitableno authentication requiredlow complexityaffects network infrastructure (not directly safety-critical but enables further attacks)multiple vulnerability types (buffer overflow, heap corruption)

Exploitability

Moderate exploit probability (EPSS 3.4%)

Affected products (51)

51 with fix

ProductAffected VersionsFix Status

SCALANCE X302-7 EEC (2x 24V)<V4.1.44.1.4

SCALANCE X302-7 EEC (2x 24V, coated)<V4.1.44.1.4

SCALANCE X302-7 EEC (2x 230V)<V4.1.44.1.4

SCALANCE X302-7 EEC (2x 230V, coated)<V4.1.44.1.4

SCALANCE X302-7 EEC (24V)<V4.1.44.1.4

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDRestrict access to ports 22/TCP, 161/UDP, and 443/TCP using firewall rules or ACLs; allow only trusted engineering workstations and management IPs

WORKAROUNDDisable SNMP service if not required for network monitoring

WORKAROUNDDisable the web management interface if not actively used

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade all SCALANCE X-300 switches to firmware version 4.1.4 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate control system switches from business network and Internet-facing systems

CVEs (9)

CVE-2022-25752 CVE-2022-25753 CVE-2022-25756 CVE-2022-26334 CVE-2022-26335 CVE-2022-26380 CVE-2022-25751 CVE-2022-25754 CVE-2022-25755

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/917b74cf-038c-42d9-89fe-9913a0c0a69a