Siemens SCALANCE X200 IRT
Act Now7.5ICS-CERT ICSA-23-047-02Feb 14, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The SCALANCE X200 IRT switch family contains a denial of service vulnerability in the SNMP agent. A remote attacker can send a malformed SNMP packet to crash the SNMP service on affected switches, rendering the device unable to relay network traffic until manually rebooted. The vulnerability affects all versions prior to firmware 5.5.0 across 13 switch models including the SCALANCE X200-4P IRT, X201-3P IRT, X202-2P IRT, X204IRT, and the XF series variants, as well as the SIPLUS NET SCALANCE X202-2P IRT. No authentication is required to trigger the denial of service, and the attack has low complexity.
What this means
What could happen
An attacker can remotely crash the network switch by sending malformed SNMP packets, causing loss of connectivity for critical devices on the switch and service interruption until the device is rebooted.
Who's at risk
Water utilities, electric distribution, and other industrial facilities using SCALANCE X200 IRT industrial ethernet switches in control networks should prioritize this. These switches are commonly used to connect PLCs, RTUs, HMIs, and remote terminal units that manage critical infrastructure. Any interruption causes loss of communication to field devices.
How it could be exploited
An attacker on the network sends a specially crafted SNMP packet to the switch's SNMP agent (typically UDP port 161). The malformed packet causes the SNMP service to fail, effectively disabling the switch until manual reboot. No authentication is required.
Prerequisites
- Network access to the SNMP agent port (UDP 161)
- The SNMP service must be enabled on the switch (enabled by default)
- SCALANCE X200 IRT firmware version earlier than 5.5.0
remotely exploitableno authentication requiredlow attack complexityhigh EPSS score (15.4%)affects industrial network infrastructurecauses denial of service to critical devices
Exploitability
High exploit probability (EPSS 15.4%)
Affected products (13)
13 with fix
ProductAffected VersionsFix Status
SCALANCE X200-4P IRT<V5.5.05.5.0
SCALANCE X201-3P IRT<V5.5.05.5.0
SCALANCE X201-3P IRT PRO<V5.5.05.5.0
SCALANCE X202-2IRT<V5.5.05.5.0
SCALANCE X202-2P IRT<V5.5.05.5.0
SCALANCE X202-2P IRT PRO<V5.5.05.5.0
SCALANCE X204IRT<V5.5.05.5.0
SCALANCE X204IRT PRO<V5.5.05.5.0
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDDisable SNMP service if not required for network management operations
HARDENINGRestrict network access to SNMP port (UDP 161) using firewall rules; allow only trusted management stations
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate SCALANCE X200 IRT switch firmware to version 5.5.0 or later
Long-term hardening
0/1HARDENINGPlace control network and switches behind firewalls, isolate from business network
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/93b937ab-10f6-46a7-b0b0-c61e1e77ea18