Siemens SCALANCE, RUGGEDCOM Third-Party

Act Now9.8ICS-CERT ICSA-23-075-01Mar 14, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple third-party component vulnerabilities in Busybox, Linux Kernel, OpenSSL, OpenVPN and other components used by RUGGEDCOM and SCALANCE mobile/industrial routers. These vulnerabilities can lead to improper handling of commands, code injection, and denial of service. All versions prior to v7.2 are affected.

What this means

What could happen

An attacker with network access to these routers could inject commands to gain control of the device, disrupt network connectivity to critical infrastructure, or extract sensitive data. This could cause loss of remote access to field equipment or compromise the integrity of control communications.

Who's at risk

Mobile and industrial routers used to provide remote access to distributed field equipment in water utilities, electric utilities, and manufacturing plants. Affected devices include the SCALANCE M-series mobile routers (M874, M876, M804, M812, M816, M826 models), SCALANCE MUM and S-series, and RUGGEDCOM RM1224 LTE devices. These are critical infrastructure gateway devices.

How it could be exploited

An attacker sends a specially crafted network request to the router that exploits a command injection flaw in one of the third-party components. The router processes the malicious input and executes arbitrary commands with device privileges, allowing the attacker to alter router configuration, intercept traffic, or shut down network connectivity.

Prerequisites

Network access to the SCALANCE or RUGGEDCOM router on the affected firmware version
No authentication required for exploitation of the third-party component flaws

Remotely exploitableNo authentication requiredLow complexity attackActively exploited in the wild (KEV)Critical CVSS score (9.8)Very high EPSS score (88.3%)Affects network gateway to critical operationsMultiple attack vectors via third-party components

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (20)

20 with fix

ProductAffected VersionsFix Status

SCALANCE M874-3<V7.27.2

SCALANCE M876-3 (EVDO)<V7.27.2

SCALANCE M876-3 (ROK)<V7.27.2

SCALANCE M876-4<V7.27.2

SCALANCE M876-4 (EU)<V7.27.2

Remediation & Mitigation

0/4

Do now

0/4

HOTFIXUpdate all affected SCALANCE and RUGGEDCOM devices to firmware version 7.2 or later

HARDENINGIsolate SCALANCE and RUGGEDCOM routers from the Internet and business networks; place behind firewall with restricted inbound access

HARDENINGRestrict network access to these devices to only authorized management stations and required field device connections

HARDENINGMonitor network traffic to these devices for suspicious command patterns or connections from unexpected sources

CVEs (65)

CVE-2018-25032 CVE-2019-1125 CVE-2021-4034 CVE-2021-4149 CVE-2021-26401 CVE-2021-42373 CVE-2021-42374 CVE-2021-42375 CVE-2021-42376 CVE-2021-42377 CVE-2021-42378 CVE-2021-42379 CVE-2021-42380 CVE-2021-42381 CVE-2021-42382 CVE-2021-42383 CVE-2021-42384 CVE-2021-42385 CVE-2021-42386 CVE-2022-0001 CVE-2022-0002 CVE-2022-0494 CVE-2022-0547 CVE-2022-1011 CVE-2022-1016 CVE-2022-1198 CVE-2022-1199 CVE-2022-1292 CVE-2022-1304 CVE-2022-1343 CVE-2022-1353 CVE-2022-1473 CVE-2022-1516 CVE-2022-1652 CVE-2022-1729 CVE-2022-1734 CVE-2022-1974 CVE-2022-1975 CVE-2022-2380 CVE-2022-2588 CVE-2022-2639 CVE-2022-20158 CVE-2022-23036 CVE-2022-23037 CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042 CVE-2022-23308 CVE-2022-26490 CVE-2022-28356 CVE-2022-28390 CVE-2022-30065 CVE-2022-30594 CVE-2022-32205 CVE-2022-32206 CVE-2022-32207 CVE-2022-32208 CVE-2022-32296 CVE-2022-32981 CVE-2022-33981 CVE-2022-35252 CVE-2022-36879 CVE-2022-36946

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4bb47ab8-b499-4a15-81f4-49158e757a8e