Siemens SCALANCE Family Products
Act NowCVSS 9.1ICS-CERT ICSA-23-320-08Nov 14, 2023
Siemens
Attack path
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
SCALANCE XB-200/XC-200/XP-200/XF-200BA/XR-300WG Family before V4.5 is affected by multiple vulnerabilities including weak cryptographic key generation (CWE-326), out-of-bounds read/write (CWE-125, CWE-415), null pointer dereference (CWE-476), resource exhaustion (CWE-770), and others. These vulnerabilities could allow remote exploitation with elevated privileges, leading to confidentiality, integrity, and availability impacts across the managed network. Siemens has released firmware version 4.5 or later to address these issues.
What this means
What could happen
An attacker with network access to one of these switches could exploit multiple flaws to execute commands with elevated privilege, potentially disrupting network communication, altering switch configurations, or accessing sensitive data on connected control devices. Loss of network connectivity to field devices or PLCs would interrupt field operations and process monitoring.
Who's at risk
Water authorities and utilities managing network switches and managed Ethernet devices using Siemens SCALANCE switches (XB-200, XC-200, XP-200, XF-200BA, XR-300WG series) in control system networks. These switches provide network connectivity for PLCs, RTUs, and field devices. Affected models include various configurations for fiber, copper, and PoE variants used in both Ethernet/IP and PROFINET architectures.
How it could be exploited
An attacker reachable via network to the switch could send malformed packets or requests that trigger buffer overflows, weak cryptographic implementation, or resource exhaustion conditions. Exploitation requires elevated privileges on the device itself, suggesting the attacker either has engineering credentials or has already compromised an engineering workstation or plant network. Once exploited, the attacker could modify switch configurations, intercept traffic between control devices, or take the switch offline.
Prerequisites
- Network access to the SCALANCE switch (directly or from the plant network)
- Elevated/administrative privileges on the switch, or ability to authenticate as an engineering user
- Knowledge of or ability to craft requests targeting the specific vulnerabilities (buffer overflow, weak crypto, resource exhaustion)
Remotely exploitableHigh EPSS score (92.0%)Multiple critical vulnerabilities in single advisoryAffects managed Ethernet switches that are network backbone for control systemsWeak cryptographic implementation
Exploitability
Likely to be exploited — EPSS score 92.1%
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (69)
69 with fix
ProductAffected VersionsFix Status
SCALANCE XC208G PoE (54 V DC)<V4.54.5
SCALANCE XC216<V4.54.5
SCALANCE XC216-3G PoE<V4.54.5
SCALANCE XC216-3G PoE (54 V DC)<V4.54.5
SCALANCE XC216-4C<V4.54.5
Remediation & Mitigation
0/5
Do now
0/3HARDENINGImplement network segmentation to isolate SCALANCE switches from untrusted networks; restrict access to engineering/management ports (e.g., port 22 SSH, web management) to authorized engineering workstations only
WORKAROUNDDisable remote management access to the switches if not required for operations; if required, use VPN with strong authentication
HARDENINGVerify credentials used for switch configuration are strong and not defaults; rotate any default or shared engineering credentials
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate all affected SCALANCE switches to firmware version 4.5 or later
HOTFIXDocument and test firmware update procedure before deployment to minimize process interruption during maintenance window
CVEs (13)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1e9afcf9-0606-41e5-b6e7-99be9f5e4779Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.