OTPulse

Siemens SCALANCE W1750D

Act NowCVSS 8.4ICS-CERT ICSA-23-131-02May 9, 2023
Siemens
Attack path
Attack VectorAdjacent
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

The SCALANCE W1750D wireless access point is vulnerable to Wi-Fi encryption bypass attacks known as "Framing Frames" that allow attackers within Wi-Fi range to decrypt and intercept traffic, potentially disclosing sensitive information or stealing user sessions. The vulnerability affects all regional variants (JP, ROW, USA) in firmware versions prior to 8.10.0.6. Siemens has released firmware updates to address the issue. The vulnerability is not remotely exploitable and requires the attacker to be physically near the device, but no public exploit is available yet.

What this means
What could happen
An attacker within radio range could bypass Wi-Fi encryption on the SCALANCE W1750D wireless access point, potentially intercepting sensitive data or stealing user sessions connected to the device.
Who's at risk
Water utilities, electric utilities, and other industrial facilities using SCALANCE W1750D wireless access points for remote monitoring or engineering workstation connectivity should prioritize this update. The device provides wireless network access that may carry credentials or configuration data for critical control systems.
How it could be exploited
An attacker must be physically within Wi-Fi range of the SCALANCE W1750D. They use "Framing Frames" wireless encryption bypass techniques to intercept and decrypt Wi-Fi traffic, capturing session credentials or sensitive information being transmitted through the device.
Prerequisites
  • Physical proximity to the SCALANCE W1750D (within Wi-Fi broadcast range)
  • Attacker must have basic Wi-Fi sniffing tools
  • Device must be operating with affected firmware version below 8.10.0.6
Low complexity exploitationHigh EPSS score (20.4%)Wi-Fi encryption bypass vulnerabilityAffects wireless access control for industrial systems
Exploitability
Likely to be exploited — EPSS score 15.7%
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
SCALANCE W1750D (JP)<V8.10.0.68.10.0.6
SCALANCE W1750D (ROW)<V8.10.0.68.10.0.6
SCALANCE W1750D (USA)<V8.10.0.68.10.0.6
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDDisable Wi-Fi access on the SCALANCE W1750D if it is not operationally required, reducing the attack surface
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

SCALANCE W1750D (ROW)
HOTFIXUpdate SCALANCE W1750D to firmware version 8.10.0.6 or later (available for JP, ROW, and USA variants)
Long-term hardening
0/2
HARDENINGPhysically limit access to the SCALANCE W1750D deployment location to reduce attacker proximity opportunities
HARDENINGIsolate the SCALANCE W1750D and its connected wireless clients from untrusted network segments using firewall rules and network segmentation
View full CISA ICS-CERT advisory
API: /api/v1/advisories/74456c68-fa89-41ad-8488-8fe16b85d1eb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.