Siemens SCALANCE and RUGGEDCOM Products (Update A)

Plan Patch8.8ICS-CERT ICSA-22-286-11Oct 11, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

The Siemens SCALANCE and RUGGEDCOM products do not properly authorize the password change function in the web interface. This allows low-privileged users to escalate their privileges to administrator level. Siemens has released firmware updates for most products (versions 2.0, 3.0, 4.4, 6.6, or 7.1.2 depending on product family), but a large number of SCALANCE W-series wireless access points will not receive patches. For products without updates, Siemens recommends restricting web interface access using network-level access control lists.

What this means

What could happen

A low-privileged user with web interface access could change the admin password and take full control of the device, potentially disrupting critical network functions like communication to field devices, data routing, or remote connections that the utility depends on.

Who's at risk

This affects multiple Siemens industrial networking products: RUGGEDCOM remote access gateways, SCALANCE industrial switches (M-series routers, S-series, SC-series, XB/XC/XF/XP/XR/XM backbone switches), and SCALANCE wireless access points (W-series). These are used in water authorities, electric utilities, and other critical infrastructure for network connectivity, remote device management, and industrial data routing. Any utility using Siemens network infrastructure for SCADA, RTU communication, or remote access is potentially affected.

How it could be exploited

An attacker with low-privilege web interface credentials (or a disgruntled employee) can access the password change function without proper authorization checks and set a new admin password. This grants them full administrative control over the routing, wireless, or industrial switch, allowing them to reconfigure network settings, disable connectivity, or intercept traffic.

Prerequisites

Access to the device web interface (HTTP port 80 or HTTPS port 443)
Low-privileged user credentials (read-only or operator-level account)
Device running affected firmware version

Remotely exploitable over networkLow complexity attackLow privileges required to exploitNo authentication bypass needed (existing user credentials sufficient)Privilege escalation to full admin accessLarge number of product variants affectedSignificant portion of W-series product line has no fix available

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (155)

127 with fix28 pending

ProductAffected VersionsFix Status

RUGGEDCOM RM1224 LTE(4G) EU<V7.1.27.1.2

RUGGEDCOM RM1224 LTE(4G) NAM<V7.1.27.1.2

SCALANCE M804PB<V7.1.27.1.2

SCALANCE M812-1 ADSL-Router (Annex A)<V7.1.27.1.2

SCALANCE M812-1 ADSL-Router (Annex B)<V7.1.27.1.2

Remediation & Mitigation

0/9

Do now

0/2

WORKAROUNDFor SCALANCE W-series wireless access points (W1748, W1788, W721, W722, W734, W738, W748, W761, W774, W778, W786, W788 models) with no fix available, implement strict network access controls

WORKAROUNDConfigure access control lists (ACLs) on firewalls and upstream switches to restrict access to device web server ports (TCP 80 and TCP 443) to only authorized management networks and administrator IP addresses

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

SCALANCE S615

HOTFIXUpdate affected devices to firmware version 7.1.2 (RUGGEDCOM RM1224 LTE models, SCALANCE M-series routers, SCALANCE S615, SCALANCE SC6xx-2C, SCALANCE XR528/XR552, SCALANCE XM408/XM416)

SCALANCE XR552-12M

HOTFIXUpdate affected devices to firmware version 6.6 (SCALANCE XR528-6M, SCALANCE XR552-12M, SCALANCE XM408/XM416 models)

SCALANCE WAM763-1

HOTFIXUpdate affected devices to firmware version 2.0 (SCALANCE WAM763-1, WAM766-1, WUM763-1, WUM766-1 models)

All products

HOTFIXUpdate affected devices to firmware version 4.4 (SIPLUS NET SCALANCE XC206/XC208/XC216, SCALANCE XB/XC/XF/XP/XR324/XR326/XR328 series)

HARDENINGDisable HTTP (port 80) and require HTTPS (port 443) only for web interface access

Long-term hardening

0/2

HARDENINGIsolate industrial network segments containing these devices from business networks using firewalls and network segmentation

HARDENINGImplement network monitoring and logging of access attempts to device web interfaces

CVEs (1)

CVE-2022-31765

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/77a1a501-0fb8-424f-8908-967100939768