Siemens SCALANCE SC-600 Family

Plan PatchCVSS 7.8ICS-CERT ICSA-22-349-18Dec 13, 2022

Siemens

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Multiple vulnerabilities in third-party firmware components of the SCALANCE SC-600 family managed switches (CWE-787 out-of-bounds write, CWE-416 use-after-free, CWE-770 allocation with excessive size) could allow local attackers to cause denial of service, corrupt memory, or execute arbitrary code. The SC-600 series is a key network appliance in industrial control system architectures, used to segregate and manage traffic between engineering networks and operational technology networks. All versions before 3.0 are affected.

What this means

What could happen

Memory corruption or code execution on a SCALANCE managed switch could allow an attacker to disrupt network connectivity to critical infrastructure devices (PLCs, RTUs, HMIs), causing loss of process visibility and control.

Who's at risk

This affects water and electric utilities, wastewater treatment plants, and any facility using Siemens SCALANCE SC-600 managed industrial switches for network segregation in control system environments. Organizations should inventory all SC622-2C, SC626-2C, SC632-2C, SC636-2C, SC642-2C, and SC646-2C models.

How it could be exploited

An attacker with local access to the device (via USB, serial console, or already-present network malware) could exploit third-party component vulnerabilities in the firmware to corrupt memory or execute arbitrary code on the switch. This would compromise the device's ability to route and filter network traffic to your control systems.

Prerequisites

Physical or logical local access to SCALANCE SC-600 device
Device running firmware version below 3.0
No administrative credentials required for exploitation

No authentication required for local exploitationLow complexity attackHigh CVSS score (7.8)Affects network infrastructure supporting safety systemsMemory corruption and code execution possible

Exploitability

Some exploitation risk — EPSS score 4.0%

Public Proof-of-Concept (PoC) on GitHub (3 repositories)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

SCALANCE SC622-2C<V3.03.0

SCALANCE SC626-2C<V3.03.0

SCALANCE SC632-2C<V3.03.0

SCALANCE SC636-2C<V3.03.0

SCALANCE SC642-2C<V3.03.0

SCALANCE SC646-2C<V3.03.0

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict physical access to SCALANCE switches (console ports, USB); use cable locks if available

WORKAROUNDDisable or restrict remote management protocols (SSH, HTTPS) to authorized workstations only via firewall rules

HARDENINGReview and document which control system devices rely on each SCALANCE switch for connectivity; prioritize firmware updates for devices in safety-critical paths

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE SC-600 family devices to firmware version 3.0 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate SCALANCE management interfaces from non-essential networks

CVEs (4)

CVE-2018-25032 CVE-2022-30065 CVE-2022-32205 CVE-2022-32206

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ea1b5b0a-b7c9-4d93-b0ce-a30c4eab17ab

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.