Siemens Scalance W1750D

Act Now9.8ICS-CERT ICSA-24-102-05Apr 9, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The SCALANCE W1750D wireless access point contains multiple buffer overflow vulnerabilities that allow unauthenticated remote code execution and information disclosure. These vulnerabilities exist in the CLI and web-based management interfaces. Affected versions are prior to 8.10.0.9 across all regional variants (JP, ROW, USA). An attacker can exploit these vulnerabilities to run arbitrary commands on the device, potentially compromising network communications for connected control systems.

What this means

What could happen

An attacker could execute arbitrary code on the Scalance W1750D wireless access point without authentication, potentially disrupting communications for PLC and HMI systems that rely on this network device. This could lead to loss of operational visibility or control in facilities where wireless connectivity is critical to process automation.

Who's at risk

Water treatment, municipal power systems, and industrial facilities using Siemens Scalance W1750D wireless access points for PLC or HMI connectivity. The vulnerability affects the network infrastructure that enables wireless communication for field devices and control system engineering access. Facilities with W1750D devices that span multiple geographic regions (Japan, US, and rest-of-world variants) are in scope.

How it could be exploited

An attacker on the network sends a specially crafted packet to the CLI or web management interface (port 80/443 or SSH) that triggers a buffer overflow in the W1750D. No authentication is required. This overflow could allow the attacker to execute arbitrary commands on the device with administrative privileges, potentially redirecting network traffic or capturing credentials for connected systems.

Prerequisites

Network access to the W1750D management interface (CLI port or web interface)
Device running firmware version prior to 8.10.0.9
The affected management interface must be reachable from the attacker's network location

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)critical severitynetwork infrastructure assetbuffer overflow vulnerability

Exploitability

Moderate exploit probability (EPSS 1.7%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

SCALANCE W1750D (JP)<V8.10.0.98.10.0.9

SCALANCE W1750D (ROW)<V8.10.0.98.10.0.9

SCALANCE W1750D (USA)<V8.10.0.98.10.0.9

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDRestrict CLI and web-based management interfaces to a dedicated layer 2 segment/VLAN to limit network access

HARDENINGApply firewall policies at layer 3 and above to control access to management interfaces

WORKAROUNDEnable cluster-security via the cluster-security command on the device

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE W1750D firmware to version 8.10.0.9 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate wireless network infrastructure from direct internet access

CVEs (3)

CVE-2023-35980 CVE-2023-35981 CVE-2023-35982

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d44dc4f4-0595-42aa-9854-e8ee95c57c1b