Siemens SCALANCE X-200 and X-200IRT Families (Update A)

Plan PatchCVSS 9.6ICS-CERT ICSA-22-286-15Oct 11, 2022

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Cross-site scripting (XSS) vulnerability in the web management interface of Siemens SCALANCE X-200 and X-200IRT switch families. An attacker can inject malicious JavaScript code to steal session cookies and hijack authenticated user sessions, potentially enabling unauthorized access to switch configuration and control. The vulnerability affects SCALANCE X200, X201, X202, X204, X206, X208, X212, X216, X224 models and XF-series variants across firmware versions prior to 5.2.5 (X204/X206/X208/X212/X216/X224) or 5.5.0 (X200/X201/X202/X204IRT/XF/SIPLUS NET models). Siemens has released firmware updates for all affected models.

What this means

What could happen

An attacker could inject malicious scripts into the web interface of affected SCALANCE switches to steal session cookies and hijack administrative sessions, allowing them to gain unauthorized access and control over network switching and IRT (Isochronous Real-Time) communication in the plant.

Who's at risk

Water utilities and electric utilities operating Siemens SCALANCE X-200, X-200IRT, X-204, X-206, X-208, X-212, X-216, X-224, XF-200, and XF-200 series managed switches used for industrial network connectivity and IRT synchronization. Particularly critical for facilities relying on these switches for SCADA network segmentation, PLC communication, and remote device connectivity.

How it could be exploited

An attacker crafts a malicious URL containing JavaScript code and tricks an operator or engineer into clicking it while logged into the switch's web interface. When the link is clicked, the script runs in the context of the user's browser session, capturing session cookies and sending them to the attacker. The attacker can then use the stolen cookie to impersonate the user and access the switch's management interface.

Prerequisites

Network access to the SCALANCE switch web interface (typically port 80 or 443)
A valid user must be logged into the web interface and click a malicious link
The vulnerable switch must be running firmware version before 5.2.5 (X204/X206/X208/X212/X216/X224 families) or before 5.5.0 (X200/X201/X202/X204IRT/XF series)

Remotely exploitable via web interfaceUser interaction required (clicking malicious link)Session hijacking could lead to unauthorized device configuration changesAffects network infrastructure devices that bridge operational and management networksPatches are available but require maintenance windows

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (30)

30 with fix

ProductAffected VersionsFix Status

SCALANCE X200-4P IRT<V5.5.05.5.0

SCALANCE X201-3P IRT<V5.5.05.5.0

SCALANCE X201-3P IRT PRO<V5.5.05.5.0

SCALANCE X202-2IRT<V5.5.05.5.0

SCALANCE X202-2P IRT<V5.5.05.5.0

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict web interface access to the SCALANCE switches using network firewall rules—only permit management traffic from authorized engineering workstations and control center networks

WORKAROUNDDisable the web management interface on switches if not actively used for remote management; use serial console or local access only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all SCALANCE X-series and XF-series switches to firmware version 5.2.5 or later (X204/X206/X208/X212/X216/X224 families) or 5.5.0 or later (X200/X201/X202/X204IRT/XF201/XF202/XF204IRT and SIPLUS NET variants)

Long-term hardening

0/1

HARDENINGSegment the management network from the plant floor operational network to isolate switch access from untrusted sources

CVEs (1)

CVE-2022-40631

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bdced2a3-b372-4681-b0eb-c24b62f2c316

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.