Siemens RUGGEDCOM and SCALANCE M-800/S615 Family
Act Now9.1ICS-CERT ICSA-23-348-14Dec 12, 2023
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities in Siemens SCALANCE M-800 family and RUGGEDCOM RM1224 LTE routers before version 8.0 allow an administrator with high-level access to execute arbitrary commands on the device, bypass authentication mechanisms, generate weak encryption keys for secure communications, and manipulate network traffic. Affected devices include models used for ADSL/SHDSL remote connectivity, cellular LAN routing, and industrial Ethernet access. Siemens has released firmware version 8.0 for most products, but some devices have no patch available.
What this means
What could happen
An attacker with administrative credentials could exploit multiple vulnerabilities in these industrial routers to execute arbitrary commands, bypass authentication, or intercept encrypted communications. This could allow them to alter network traffic, disable remote sites, or introduce malware into critical infrastructure networks.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure operators using Siemens RUGGEDCOM RM1224 LTE routers and SCALANCE M-800/S615 family industrial network devices for remote site connectivity and WAN management. These routers are typically deployed at substations, pumping stations, and distribution sites for SCADA communication and remote monitoring.
How it could be exploited
An attacker with high-level access (such as an admin account obtained through phishing or credential theft) can exploit weak cryptographic implementations and insufficient input validation to execute code on the router, intercept or modify network communications passing through the device, or manipulate critical configuration settings. The vulnerabilities span authentication bypass, weak encryption key generation, and OS command injection.
Prerequisites
- Administrative or high-privilege credentials to access the device management interface
- Network reachability to the device's management port
- Knowledge of specific vulnerable configuration options or feature combinations
High privilege required but often delegated to field staffMultiple CVEs in same product family indicate systemic design issuesSome vulnerabilities have no patch availableAffects network backbone devices connecting critical sitesRouters are often overlooked in security patching schedulesWeak cryptographic implementations allow long-term interception
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (36)
36 with fix
ProductAffected VersionsFix Status
RUGGEDCOM RM1224 LTE(4G) EU<V8.08.0
RUGGEDCOM RM1224 LTE(4G) NAM<V8.08.0
SCALANCE M804PB<V8.08.0
SCALANCE M812-1 ADSL-Router<V8.08.0
SCALANCE M816-1 ADSL-Router<V8.08.0
Remediation & Mitigation
0/6
Do now
0/3WORKAROUNDRestrict network access to device management interfaces (web console, SSH, telnet) using firewall rules and network segmentation; allow only trusted engineering workstations and jump hosts
HARDENINGDisable unnecessary management protocols (telnet, HTTP) and use only SSH and HTTPS with strong credentials
WORKAROUNDFor devices where no patch is available (CVE-2023-44318, CVE-2023-44320, CVE-2023-44321), apply strict access controls and consider lifecycle replacement planning
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all RUGGEDCOM RM1224 LTE and SCALANCE M-800/S615 devices to firmware version 8.0 or later for CVE-2022-46143, CVE-2023-44319, CVE-2023-44322, CVE-2023-44373, CVE-2023-44374, and CVE-2023-49691
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate industrial routers from business networks and the internet; place devices behind firewalls
HARDENINGMonitor and log all access to device management interfaces for suspicious activity or credential misuse
CVEs (7)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b1c9f499-cac8-466c-8a92-3b8b8d4f1e64