Siemens SCALANCE W1750D

Plan PatchCVSS 9.8ICS-CERT ICSA-24-046-01Feb 13, 2024

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The SCALANCE W1750D wireless access point contains multiple vulnerabilities in its web interface and CLI that allow unauthenticated remote code execution, denial of service, or sensitive information disclosure. The vulnerabilities include buffer overflow flaws (CWE-120), improper input validation (CWE-20), and command injection (CWE-77). An unauthenticated attacker with network access to the device can exploit these to run arbitrary commands or crash the device. Siemens has released firmware version 8.10.0.9 to address these issues. Until patched, temporary mitigations include enabling cluster-security and restricting management interface access via VLAN or firewall rules.

What this means

What could happen

An attacker could execute arbitrary commands on the SCALANCE W1750D wireless access point without authentication, potentially taking control of network access for critical operations. This could disrupt connectivity to control systems, allowing manipulation of connected industrial equipment or denial of service to plant networks.

Who's at risk

This affects organizations using Siemens SCALANCE W1750D wireless access points in industrial networks, including water utilities, electrical substations, and manufacturing plants that rely on these devices to provide wireless connectivity to PLCs, RTUs, or field equipment. The device is a critical network component; compromising it could disrupt communications to multiple control systems.

How it could be exploited

An attacker with network reachability to the device can send specially crafted commands that exploit buffer overflow or command injection vulnerabilities in the web interface or CLI. No authentication is required; the device accepts the malicious input directly and executes code with device privileges.

Prerequisites

Network access to the SCALANCE W1750D management interface (web port or CLI)
No credentials required

Remotely exploitableNo authentication requiredLow complexity exploitHigh CVSS score (9.8)Multiple vulnerabilities in same product

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

SCALANCE W1750D (JP)<V8.10.0.98.10.0.9

SCALANCE W1750D (ROW)<V8.10.0.98.10.0.9

SCALANCE W1750D (USA)<V8.10.0.98.10.0.9

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDEnable cluster-security via the cluster-security command on devices running firmware older than 8.10.0.9 to mitigate CVE-2023-45614 through CVE-2023-45624

HARDENINGRestrict CLI and web management interface access to a dedicated Layer 2 VLAN segment to limit exposure of CVE-2023-45625, CVE-2023-45626, and CVE-2023-45627

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all SCALANCE W1750D devices to firmware version 8.10.0.9 or later

HARDENINGDeploy firewall rules at Layer 3 and above to control access to management interfaces

HARDENINGIsolate wireless access point networks from business networks and ensure they are not directly accessible from the internet

CVEs (14)

CVE-2023-45614 CVE-2023-45615 CVE-2023-45616 CVE-2023-45617 CVE-2023-45618 CVE-2023-45619 CVE-2023-45620 CVE-2023-45621 CVE-2023-45622 CVE-2023-45623 CVE-2023-45624 CVE-2023-45625 CVE-2023-45626 CVE-2023-45627

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8f8099c2-ee9b-4fed-9cd5-be4367457a8b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.