Siemens SCALANCE W1750D Devices

Act NowCVSS 7.4ICS-CERT ICSA-23-075-04Mar 14, 2023

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The SCALANCE W1750D wireless access point contains multiple vulnerabilities in its integrated OpenSSL component (CWE-326 weak cryptography, CWE-415 and CWE-416 buffer issues, CWE-20 improper input validation). These flaws allow an attacker to read memory contents via crafted requests, decrypt RSA-encrypted messages by exploiting cryptographic weaknesses, or trigger denial of service by crashing the device. The vulnerabilities affect all regional firmware variants (JP, ROW, USA) earlier than version 8.10.0.9. Attack complexity is high, but no authentication is required and the device is network-accessible.

What this means

What could happen

An attacker with network access to a SCALANCE W1750D could read sensitive data from device memory, decrypt encrypted traffic, or cause the device to stop responding. This would disrupt wireless connectivity for critical control systems in water treatment, power distribution, or other industrial sites.

Who's at risk

Water utilities, electric utilities, and municipal infrastructure operators using Siemens SCALANCE W1750D wireless access points for remote monitoring or control system connectivity. This device is commonly deployed to provide wireless links between distant PLCs, RTUs, and engineering workstations in distributed water or power systems.

How it could be exploited

An attacker would need network access to the SCALANCE W1750D device. They could exploit flaws in the integrated OpenSSL component to trigger memory leaks that expose cryptographic keys and private data, decrypt RSA-encrypted messages to bypass authentication, or send specially crafted requests that crash the device. All three attack paths require network reachability and do not require valid credentials.

Prerequisites

Network access to SCALANCE W1750D on port 443 (HTTPS) or other network services
Device running firmware version earlier than 8.10.0.9
No credentials required for exploitation

remotely exploitableno authentication requiredhigh EPSS score (88.5%)affects wireless network infrastructurememory disclosure and denial of service capabilities

Exploitability

Likely to be exploited — EPSS score 88.4%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

SCALANCE W1750D (JP)<V8.10.0.98.10.0.9

SCALANCE W1750D (ROW)<V8.10.0.98.10.0.9

SCALANCE W1750D (USA)<V8.10.0.98.10.0.9

Remediation & Mitigation

0/6

Do now

0/4

WORKAROUNDDisable CRL (Certificate Revocation List) checking if not required for your deployment

WORKAROUNDDisable RSA ciphers in the web server configuration (note: RSA ciphers are disabled by default)

WORKAROUNDDo not import or configure certificate files in PEM format from untrusted sources

HARDENINGImplement firewall rules to restrict network access to SCALANCE W1750D from only authorized management stations and control system networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SCALANCE W1750D (ROW)

HOTFIXUpdate SCALANCE W1750D firmware to version 8.10.0.9 or later for all regional variants (JP, ROW, USA)

Long-term hardening

0/1

HARDENINGPlace the wireless access point on a segregated network segment separate from critical control system devices

CVEs (4)

CVE-2022-4450 CVE-2023-0215 CVE-2022-4304 CVE-2023-0286

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/da53bbd1-8ca5-40e3-8a05-c53416eb06a4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.