Siemens SCALANCE W700

Plan PatchCVSS 7.2ICS-CERT ICSA-24-165-12Jun 11, 2024

Siemens

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Siemens SCALANCE W700 IEEE 802.11ax wireless devices (WAM766-1, WAM763-1, WAM762-1, WUB762-1, WUM766-1, WUM763-1 models) involving weak cryptographic key management (CWE-349, CWE-321), hardcoded credentials, and improper access restrictions. Devices before firmware version 3.0.0 are affected. Some product variants at all versions have no fix available from Siemens. Vulnerabilities could allow an authenticated attacker to extract credentials, modify configurations, or gain unauthorized access to the wireless network infrastructure supporting industrial operations.

What this means

What could happen

An attacker with administrative credentials could modify wireless network configurations, gain unauthorized access to the device, or cause denial of service on SCALANCE W700 wireless access points and bridges that provide network connectivity to industrial sites. This could disrupt communication between control systems and engineering workstations.

Who's at risk

Water utilities, power plants, and manufacturing facilities using SCALANCE W700 series wireless access points (WAM, WUB, WUM models) for industrial site connectivity. These devices are commonly deployed at remote substations, pump stations, and plant perimeters to provide wireless backhaul or last-mile connectivity to industrial networks.

How it could be exploited

An attacker with valid administrative credentials could connect to the device's management interface (HTTP/HTTPS, Telnet, or SSH) to exploit weak cryptographic implementations and hardcoded secrets in the device firmware. By modifying configuration parameters or extracting sensitive credentials, the attacker could reconfigure the wireless network, hijack client connections, or maintain persistent access.

Prerequisites

Valid administrative credentials for the SCALANCE W700 device
Network access to the device's management interface (port 80, 443, 23, or 22)
Physical proximity or remote access to the wireless network in question

No authentication required for some exploitation vectorsHardcoded credentials in firmwareWeak cryptographic implementationsNo patch available for some product variantsAffects network infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (34)

34 with fix

ProductAffected VersionsFix Status

SCALANCE WAM766-1 EEC (US)< V3.0.03.0.0

SCALANCE WUB762-1< V3.0.03.0.0

SCALANCE WUB762-1 iFeatures< V3.0.03.0.0

SCALANCE WUM763-1< V3.0.03.0.0

SCALANCE WUM763-1 (US)< V3.0.03.0.0

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImplement firewall rules to restrict management access to SCALANCE W700 devices from known engineering workstations only

WORKAROUNDDisable remote management protocols (Telnet) in favor of SSH where available

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE W700 devices to firmware version 3.0.0 or later

Long-term hardening

0/2

HARDENINGSegment wireless access points and bridges behind a firewall, isolating them from direct internet access

HARDENINGUse VPN for all remote management of SCALANCE W700 devices

CVEs (4)

CVE-2023-44317 CVE-2023-44318 CVE-2023-44319 CVE-2023-44374

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6100e0b3-552e-4ae6-90a1-6c68fce78232

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.