Siemens SCALANCE W1750D

Act Now9.8ICS-CERT ICSA-22-314-10Nov 8, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The SCALANCE W1750D contains multiple vulnerabilities in its web-based management interface and command-line interface. These flaws enable unauthenticated remote attackers to inject operating system commands (CWE-77, CWE-20), trigger buffer overflows (CWE-120), cause denial of service (CWE-400), and inject stored cross-site scripts (CWE-79). Exploitation requires no authentication and has low attack complexity. Siemens has released firmware version 8.7.1.11 that addresses all identified flaws.

What this means

What could happen

An attacker without credentials could remotely run commands on the SCALANCE W1750D wireless industrial access point, potentially disrupting network connectivity for critical control systems, or alter device configuration and access controls. Stored XSS and denial-of-service attacks could render the device or its management interface unavailable.

Who's at risk

Operators of Siemens SCALANCE W1750D industrial wireless access points should be concerned. These devices are widely deployed in manufacturing facilities, utilities, and critical infrastructure networks to provide wireless connectivity to control systems, engineering workstations, and monitoring devices. The vulnerability affects Japanese (JP), Rest-of-World (ROW), and USA regional variants.

How it could be exploited

An attacker on the network (or from the Internet if the device is Internet-reachable) can send malformed requests to the web-based management interface or command-line interface to inject commands, overflow buffers, or inject stored cross-site scripts. Low attack complexity means simple tools and techniques are sufficient; no authentication is required.

Prerequisites

Network access to the SCALANCE W1750D management interface (HTTP/HTTPS web interface or command-line interface)
No credentials required
Device must be running firmware version prior to 8.7.1.11

remotely exploitableno authentication requiredlow complexityhigh EPSS score (14.7%)affects network infrastructure critical to control systems

Exploitability

High exploit probability (EPSS 14.7%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

SCALANCE W1750D (JP)<V8.7.1.118.7.1.11

SCALANCE W1750D (ROW)<V8.7.1.118.7.1.11

SCALANCE W1750D (USA)<V8.7.1.118.7.1.11

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDEnable CPSec via the cluster-security command to mitigate CVE-2022-37885, CVE-2022-37886, CVE-2022-37887, CVE-2022-37888, and CVE-2022-37889

HARDENINGIsolate the SCALANCE W1750D web-based management interface to a dedicated layer 2 segment/VLAN, or control access via layer 3 firewall rules restricting which hosts can reach the management interface

HARDENINGIsolate the SCALANCE W1750D command-line interface to a dedicated layer 2 segment/VLAN, or control access via layer 3 firewall rules restricting which hosts can reach the CLI

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE W1750D firmware to version 8.7.1.11 or later

Long-term hardening

0/1

HARDENINGEnsure the SCALANCE W1750D is not directly accessible from the Internet; place behind firewalls and isolate from business networks

CVEs (13)

CVE-2002-20001 CVE-2022-37885 CVE-2022-37886 CVE-2022-37887 CVE-2022-37888 CVE-2022-37889 CVE-2022-37890 CVE-2022-37891 CVE-2022-37892 CVE-2022-37893 CVE-2022-37894 CVE-2022-37895 CVE-2022-37896

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1426dee8-6d8b-44da-aa95-7c074ba5340e