Siemens SCALANCE W700

Plan Patch8.4ICS-CERT ICSA-23-320-05Nov 14, 2023

Attack VectorAdjacent

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

The SCALANCE W700 series of industrial wireless access points and bridges are affected by Wi-Fi encryption bypass vulnerabilities known as "Framing Frames." These vulnerabilities could allow an attacker to decrypt Wi-Fi traffic, hijack user sessions, or launch denial-of-service attacks against devices on the wireless network. The vulnerability affects all firmware versions of the W721, W722, W734, W738, W748, W761, W774, W778, W786, W788, W1748, W1788 series and WAM/WUM family devices. Siemens has not released patches and recommends environmental and operational countermeasures instead.

What this means

What could happen

An attacker within Wi-Fi range could decrypt network traffic to and from the access point, potentially capturing engineering commands, credentials, or operator interactions, or could disrupt communications between industrial devices connected through the wireless network.

Who's at risk

Water authorities, municipal electric utilities, and other critical infrastructure operators that use Siemens SCALANCE W700 series wireless access points or bridges to connect field devices, RTUs, or HMIs to the control network. This includes all W721, W722, W734, W738, W748, W761, W774, W778, W786, W788, W1748, W1788 models and the WAM/WUM wireless access modules used in factory automation and process control networks.

How it could be exploited

An attacker within wireless range of a SCALANCE W700 device could exploit the Wi-Fi encryption bypass to decrypt traffic, intercept session credentials, or inject frames to cause a denial-of-service attack. No special credentials or authentication are required—the attacker only needs to be within Wi-Fi range and able to capture and manipulate wireless frames.

Prerequisites

Attacker within Wi-Fi range of the SCALANCE W700 device
Wireless network traffic to intercept or manipulate
No authentication required

Remotely exploitable (within Wi-Fi range)No authentication requiredLow complexity attackNo patch available from vendorAffects industrial wireless networks connecting control devicesHigh likelihood of credential or command interception

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (36)

36 pending

ProductAffected VersionsFix Status

SCALANCE W721-1 RJ45All versionsNo fix yet

SCALANCE W722-1 RJ45All versionsNo fix yet

SCALANCE W734-1 RJ45All versionsNo fix yet

SCALANCE W734-1 RJ45 (USA)All versionsNo fix yet

SCALANCE W738-1 M12All versionsNo fix yet

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGSegment wireless networks from critical control devices using air-gap or wired connections for essential command and control traffic

WORKAROUNDImplement additional encryption layer (VPN or IPsec) between wireless clients and control network to protect against Wi-Fi decryption

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGDeploy wireless intrusion detection to monitor for unusual frame patterns or session hijacking attempts

HARDENINGReview Wi-Fi network design to minimize exposure of critical control traffic over SCALANCE W700 devices

Long-term hardening

0/2

HARDENINGReduce wireless coverage footprint by positioning access points inside buildings rather than near perimeter to limit attacker range

HOTFIXMonitor Siemens security announcements for future firmware updates or security patches that may address this vulnerability

CVEs (3)

CVE-2024-30189 CVE-2024-30190 CVE-2024-30191

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b110a6fb-1a3c-41b3-9e51-8ccd61c3d0c2