Siemens SCALANCE Third-Party

Plan Patch8.1ICS-CERT ICSA-23-080-07Mar 14, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple vulnerabilities in third-party components of SCALANCE W-700 IEEE 802.11ax wireless access/management units (WAM763-1, WAM766-1, WUM763-1, WUM766-1) running firmware versions before V2.0. These vulnerabilities include buffer overflow, null pointer dereference, improper input validation, and privilege escalation flaws that could allow an attacker to cause denial of service, disclose sensitive data, or compromise system integrity.

What this means

What could happen

An attacker could disrupt wireless network connectivity to your industrial facility, read sensitive configuration or process data from the wireless access point, or gain elevated privileges to modify device settings. This could interfere with remote monitoring, wireless-connected PLCs, or emergency communication systems.

Who's at risk

Water authorities and electric utilities that rely on SCALANCE W-700 series wireless access points for remote monitoring, SCADA gateway communication, or site-to-site connectivity. This includes facilities using WAM766-1/WAM763-1 (access points) or WUM766-1/WUM763-1 (management units) deployed before firmware V2.0 was released.

How it could be exploited

An attacker with network access to the wireless management interface (either through the WLAN broadcast or if the device is reachable from your network) can send specially crafted packets or malformed input to trigger buffer overflows, null pointer dereferences, or bypass privilege checks, resulting in code execution or denial of service.

Prerequisites

Network access to the SCALANCE W-700 device management interface or WLAN broadcast range
Firmware version older than V2.0
High attack complexity requires specific conditions to be met (not trivial to exploit)

Remotely exploitable over networkHigh attack complexity reduces immediate riskNo known active exploitation yetMultiple vulnerability types (buffer overflow, null pointer, privilege escalation)

Exploitability

Moderate exploit probability (EPSS 2.9%)

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

SCALANCE WAM763-1<V2.02.0

SCALANCE WAM766-1 (EU)<V2.02.0

SCALANCE WAM766-1 (US)<V2.02.0

SCALANCE WAM766-1 EEC (EU)<V2.02.0

SCALANCE WAM766-1 EEC (US)<V2.02.0

SCALANCE WUM763-1<V2.02.0

SCALANCE WUM766-1 (EU)<V2.02.0

SCALANCE WUM766-1 (US)<V2.02.0

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the wireless management interface using firewall rules; only allow access from trusted engineering workstations or management subnets

HARDENINGDisable any unused WLAN services or management features not required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE W-700 firmware to version V2.0 or later on all affected models (WAM763-1, WAM766-1, WUM763-1, WUM766-1)

Long-term hardening

0/1

HARDENINGSegment wireless access points onto a separate management network isolated from critical process control systems

CVEs (17)

CVE-2018-12886 CVE-2018-25032 CVE-2021-42373 CVE-2021-42374 CVE-2021-42375 CVE-2021-42376 CVE-2021-42377 CVE-2021-42378 CVE-2021-42379 CVE-2021-42380 CVE-2021-42381 CVE-2021-42382 CVE-2021-42383 CVE-2021-42384 CVE-2021-42385 CVE-2021-42386 CVE-2022-23395

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9832dc70-e792-48a6-9bfe-32f3f4fb4b7b