Siemens SCALANCE X200 IRT

Act NowCVSS 7.5ICS-CERT ICSA-23-047-02Feb 14, 2023

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The SCALANCE X200 IRT switch family contains a denial of service vulnerability in the SNMP agent. A remote attacker can send a malformed SNMP packet to crash the SNMP service on affected switches, rendering the device unable to relay network traffic until manually rebooted. The vulnerability affects all versions prior to firmware 5.5.0 across 13 switch models including the SCALANCE X200-4P IRT, X201-3P IRT, X202-2P IRT, X204IRT, and the XF series variants, as well as the SIPLUS NET SCALANCE X202-2P IRT. No authentication is required to trigger the denial of service, and the attack has low complexity.

What this means

What could happen

An attacker can remotely crash the network switch by sending malformed SNMP packets, causing loss of connectivity for critical devices on the switch and service interruption until the device is rebooted.

Who's at risk

Water utilities, electric distribution, and other industrial facilities using SCALANCE X200 IRT industrial ethernet switches in control networks should prioritize this. These switches are commonly used to connect PLCs, RTUs, HMIs, and remote terminal units that manage critical infrastructure. Any interruption causes loss of communication to field devices.

How it could be exploited

An attacker on the network sends a specially crafted SNMP packet to the switch's SNMP agent (typically UDP port 161). The malformed packet causes the SNMP service to fail, effectively disabling the switch until manual reboot. No authentication is required.

Prerequisites

Network access to the SNMP agent port (UDP 161)
The SNMP service must be enabled on the switch (enabled by default)
SCALANCE X200 IRT firmware version earlier than 5.5.0

remotely exploitableno authentication requiredlow attack complexityhigh EPSS score (15.4%)affects industrial network infrastructurecauses denial of service to critical devices

Exploitability

Likely to be exploited — EPSS score 15.4%

Affected products (13)

13 with fix

ProductAffected VersionsFix Status

SCALANCE X200-4P IRT<V5.5.05.5.0

SCALANCE X201-3P IRT<V5.5.05.5.0

SCALANCE X201-3P IRT PRO<V5.5.05.5.0

SCALANCE X202-2IRT<V5.5.05.5.0

SCALANCE X202-2P IRT<V5.5.05.5.0

SCALANCE X202-2P IRT PRO<V5.5.05.5.0

SCALANCE X204IRT<V5.5.05.5.0

SCALANCE X204IRT PRO<V5.5.05.5.0

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable SNMP service if not required for network management operations

HARDENINGRestrict network access to SNMP port (UDP 161) using firewall rules; allow only trusted management stations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE X200 IRT switch firmware to version 5.5.0 or later

Long-term hardening

0/1

HARDENINGPlace control network and switches behind firewalls, isolate from business network

CVEs (1)

CVE-2007-5846

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/93b937ab-10f6-46a7-b0b0-c61e1e77ea18

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.