Siemens SCALANCE X-200IRT Devices

Monitor6.7ICS-CERT ICSA-23-103-05Apr 11, 2023

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

The SSH server on SCALANCE X-200IRT industrial switches is configured to offer weak ciphers by default. An attacker in a man-in-the-middle position could intercept and modify SSH traffic between legitimate clients and the device. Siemens has released firmware v5.5.2 and later to address this issue.

What this means

What could happen

An attacker positioned on your network could intercept SSH management connections to these switches and read or modify commands, potentially altering network configuration, access controls, or industrial process connectivity.

Who's at risk

This affects industrial-grade managed switches used in manufacturing, chemical processing, power distribution, and water utilities for real-time communication (IRT) in control networks. Anyone managing SCALANCE X-200IRT, X-200P IRT, XF200-series IRT, or SIPLUS NET SCALANCE X202-2P IRT switches should evaluate patch status. Risk is higher in networks where these switches are managed over untrusted or shared network segments.

How it could be exploited

The attacker must be on the same network segment (LAN) as the affected switch to perform a man-in-the-middle attack. They would intercept SSH traffic and exploit the weak ciphers to decrypt or modify the encrypted session, allowing them to read commands or inject malicious configuration changes into the switch.

Prerequisites

Attacker positioned on same physical network segment (LAN) as the switch
SSH enabled on the device (default configuration)
User must initiate SSH connection to the switch during the attack window

Weak default cipher configurationNo authentication required for SSH connection attemptHigh attack complexity (requires MITM position)Not remotely exploitable over InternetLow EPSS score (0.1%) - exploitability is difficult

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (13)

13 with fix

ProductAffected VersionsFix Status

SCALANCE X200-4P IRT<V5.5.25.5.2

SCALANCE X201-3P IRT<V5.5.25.5.2

SCALANCE X201-3P IRT PRO<V5.5.25.5.2

SCALANCE X202-2IRT<V5.5.25.5.2

SCALANCE X202-2P IRT<V5.5.25.5.2

SCALANCE X202-2P IRT PRO<V5.5.25.5.2

SCALANCE X204IRT<V5.5.25.5.2

SCALANCE X204IRT PRO<V5.5.25.5.2

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDConfigure SSH clients connecting to these switches to use only strong key exchange ciphers (avoid weak ciphers)

WORKAROUNDAdd only trusted SSH client public keys to the device and restrict SSH access to those keys only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected SCALANCE X-200IRT devices to firmware version 5.5.2 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate these switches from untrusted segments and prevent MITM positioning

CVEs (1)

CVE-2023-29054

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/348a7835-5aca-4291-b8c7-66da1c389955