Siemens SCALANCE XCM332

Act Now9.8ICS-CERT ICSA-23-103-09Apr 11, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in third-party components bundled in SCALANCE XCM332 firmware: cURL, BusyBox, libtirpc, Expat, and the Linux Kernel (CWE-770, CWE-416, CWE-362, CWE-276, CWE-787, CWE-1286). These could allow an attacker with network access to compromise the device's confidentiality, integrity, and availability without authentication. Siemens has released firmware version 2.2 that addresses these issues. Affected versions: XCM332 prior to V2.2.

What this means

What could happen

An attacker on the network could execute arbitrary code on the SCALANCE XCM332 managed switch, potentially compromising network traffic visibility, disrupting connectivity between plant systems, or altering network configuration. This could cascade to affect critical process control networks or safety systems connected through the device.

Who's at risk

This affects water authorities and utilities operating Siemens SCALANCE XCM managed switches (model XCM332) in control networks. These switches often sit at the boundary between engineering networks and critical process automation systems, including SCADA, PLC control networks, and safety-critical infrastructure. Compromise could disrupt network segmentation and visibility across the plant.

How it could be exploited

An attacker with network access to the SCALANCE XCM332 could exploit vulnerabilities in bundled third-party components (cURL, BusyBox, libtirpc, Expat, Linux Kernel) to gain code execution on the device. The attack requires only network-level access with no authentication, allowing remote exploitation from the network.

Prerequisites

Network access to SCALANCE XCM332 device
Device running firmware version prior to V2.2

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects network segmentation in control systems

Exploitability

Moderate exploit probability (EPSS 4.5%)

Affected products (1)

ProductAffected VersionsFix Status

SCALANCE XCM332<V2.22.2

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to SCALANCE XCM332 using firewall rules—allow only traffic from authorized engineering workstations and control system devices

HARDENINGIsolate SCALANCE XCM332 from direct Internet access and place behind a perimeter firewall

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE XCM332 to firmware version 2.2 or later

Long-term hardening

0/2

HARDENINGSegment the SCALANCE XCM332 network from business networks using a demilitarized zone (DMZ) or air gap

HARDENINGIf remote access to the device is required, use secure methods such as VPN with strong authentication

CVEs (10)

CVE-2022-32206 CVE-2022-32207 CVE-2021-46828 CVE-2022-1652 CVE-2022-1729 CVE-2022-30065 CVE-2022-32205 CVE-2022-32208 CVE-2022-35252 CVE-2022-40674

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/33e5b0d2-32fb-4610-a5ed-413654ea770e