Siemens SCALANCE XCM-/XRM-300

Act Now9.8ICS-CERT ICSA-24-046-11Feb 13, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SCALANCE XCM-/XRM-300 network switches before firmware version 2.4 contain multiple critical vulnerabilities including buffer overflows, improper input validation, weak cryptographic implementation, and broken access controls. These flaws allow unauthenticated remote attackers to execute arbitrary code on the switch, compromise device integrity, and intercept or manipulate network traffic. The vulnerability affects dozens of XCM324, XCM328, XCM332, XRH334, and XRM334 variants.

What this means

What could happen

An attacker with network access to a SCALANCE X-300 switch could execute arbitrary code remotely and completely compromise the device, allowing them to intercept, modify, or block network traffic between control systems and field devices.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Siemens SCALANCE XCM or XRM network switches for industrial control system communications. These switches are commonly deployed to connect PLCs, RTUs, and SCADA workstations. Any facility relying on these switches for mission-critical process control should treat this as an urgent priority.

How it could be exploited

An attacker on the network can send a specially crafted request to the SCALANCE X-300 switch. The device fails to properly validate input due to multiple coding flaws (buffer overflows, improper bounds checking, weak cryptography). The attacker gains code execution with the device's privileges, then pivots to monitor or alter network communications.

Prerequisites

Network-layer access to the SCALANCE X-300 device (no authentication required)
Device running firmware version 2.3 or earlier

Remotely exploitable, no authentication requiredNetwork-accessible device in operational networksActively exploited in the wild (KEV status)Very high exploit probability (68.2% EPSS)Multiple underlying coding flaws increase attack surfaceAffects network infrastructure critical to process control

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

SCALANCE XCH328<V2.42.4

SCALANCE XCM324<V2.42.4

SCALANCE XCM328<V2.42.4

SCALANCE XCM332<V2.42.4

SCALANCE XRH334 (24 V DC, 8xFO, CC)<V2.42.4

SCALANCE XRM334 (230 V AC, 12xFO)<V2.42.4

SCALANCE XRM334 (230 V AC, 8xFO)<V2.42.4

SCALANCE XRM334 (24 V DC, 12xFO)<V2.42.4

Remediation & Mitigation

0/4

Do now

0/2

HOTFIXUpdate SCALANCE X-300 switches to firmware version 2.4 or later

WORKAROUNDImplement network access controls to restrict traffic to the SCALANCE X-300 management interface (e.g., firewall rules limiting access to authorized engineering workstations only)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor SCALANCE X-300 devices for unexpected configuration changes or management access from unauthorized sources

Long-term hardening

0/1

HARDENINGImplement network segmentation so control network switches are not directly reachable from business IT networks or the internet

CVEs (160)

CVE-2006-20001 CVE-2020-10735 CVE-2021-3445 CVE-2021-3638 CVE-2021-4037 CVE-2021-36369 CVE-2021-43666 CVE-2021-45451 CVE-2022-1015 CVE-2022-1348 CVE-2022-2586 CVE-2022-2880 CVE-2022-3294 CVE-2022-3437 CVE-2022-3515 CVE-2022-4415 CVE-2022-4743 CVE-2022-4744 CVE-2022-4900 CVE-2022-4904 CVE-2022-23471 CVE-2022-23521 CVE-2022-24834 CVE-2022-26691 CVE-2022-28737 CVE-2022-28738 CVE-2022-28739 CVE-2022-29154 CVE-2022-29162 CVE-2022-29187 CVE-2022-29536 CVE-2022-32148 CVE-2022-34903 CVE-2022-34918 CVE-2022-36021 CVE-2022-36227 CVE-2022-36760 CVE-2022-37436 CVE-2022-37454 CVE-2022-37797 CVE-2022-38725 CVE-2022-39189 CVE-2022-39260 CVE-2022-41409 CVE-2022-41556 CVE-2022-41715 CVE-2022-41717 CVE-2022-41723 CVE-2022-41860 CVE-2022-41861 CVE-2022-41862 CVE-2022-41903 CVE-2022-42919 CVE-2022-44370 CVE-2022-45061 CVE-2022-45142 CVE-2022-45919 CVE-2022-46392 CVE-2022-46393 CVE-2022-47629 CVE-2022-48303 CVE-2022-48434 CVE-2023-0160 CVE-2023-0330 CVE-2023-0361 CVE-2023-0494 CVE-2023-0567 CVE-2023-0568 CVE-2023-0590 CVE-2023-0662 CVE-2023-1206 CVE-2023-1380 CVE-2023-1393 CVE-2023-1611 CVE-2023-1670 CVE-2023-1838 CVE-2023-1855 CVE-2023-1859 CVE-2023-1989 CVE-2023-1990 CVE-2023-2002 CVE-2023-2124 CVE-2023-2194 CVE-2023-2269 CVE-2023-2861 CVE-2023-2953 CVE-2023-3006 CVE-2023-3090 CVE-2023-3111 CVE-2023-3141 CVE-2023-3212 CVE-2023-3247 CVE-2023-3268 CVE-2023-3301 CVE-2023-3316 CVE-2023-3390 CVE-2023-3611 CVE-2023-3776 CVE-2023-3863 CVE-2023-4128 CVE-2023-4194 CVE-2023-20593 CVE-2023-21255 CVE-2023-22490 CVE-2023-22742 CVE-2023-22745 CVE-2023-23454 CVE-2023-23931 CVE-2023-23934 CVE-2023-23946 CVE-2023-24538 CVE-2023-25153 CVE-2023-25155 CVE-2023-25193 CVE-2023-25588 CVE-2023-25690 CVE-2023-25727 CVE-2023-26081 CVE-2023-26965 CVE-2023-27522 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-28450 CVE-2023-28466 CVE-2023-28486 CVE-2023-28487 CVE-2023-29402 CVE-2023-29404 CVE-2023-29405 CVE-2023-29406 CVE-2023-29409 CVE-2023-30086 CVE-2023-30456 CVE-2023-30772 CVE-2023-31084 CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-31436 CVE-2023-31489 CVE-2023-32067 CVE-2023-32233 CVE-2023-32573 CVE-2023-33203 CVE-2023-34256 CVE-2023-34872 CVE-2023-34969 CVE-2023-35001 CVE-2023-35788 CVE-2023-35789 CVE-2023-35823 CVE-2023-35824 CVE-2023-35828 CVE-2023-36054 CVE-2023-36617 CVE-2023-36664 CVE-2023-37920 CVE-2023-38559 CVE-2023-40283

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/35fc8ab0-f5ab-484a-ac56-02582b65bfa6