Siemens RUGGEDCOM

Plan PatchCVSS 8.8ICS-CERT ICSA-24-193-06Jul 9, 2024

Siemens

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple information disclosure vulnerabilities (CVE-2024-39675, CVE-2023-52237, CVE-2024-38278, CVE-2023-52238) in the RUGGEDCOM Operating System affect managed industrial network switches. These vulnerabilities expose confidential system configuration data, credentials, and other sensitive information through unprotected management and diagnostic interfaces. Affected products include RUGGEDCOM RS-series, RSG-series, RSL-series, RST-series, and i800/M2100/M2200/M969/RMC/RP variants running firmware versions before V4.3.10 (V4 series) or V5.9.0 (V5 series). A number of legacy models (RS900L, RS910L, RS920L/W, RS930L, RS930W, RS969 series) have no fix available.

What this means

What could happen

Multiple information disclosure vulnerabilities in RUGGEDCOM switches allow exposure of sensitive system configuration data and credentials. An attacker with network access could read confidential information to facilitate further attacks on OT networks.

Who's at risk

Municipal utilities and industrial sites using Siemens RUGGEDCOM managed switches for critical network infrastructure. This includes water authorities, electric utilities, and manufacturing plants that rely on these switches for SCADA and process control network connectivity. Affected models span from compact RS-series switches to high-capacity RSG-series and special-purpose variants (i800, M2100, RMC8388, etc.).

How it could be exploited

An attacker on the same network segment as a vulnerable RUGGEDCOM switch can query the device for configuration data via unprotected management interfaces or unauthenticated diagnostic protocols. Once credentials or configuration details are leaked, they can be used to compromise connected devices or escalate privileges.

Prerequisites

Network access to the RUGGEDCOM device on the same subnet or via routed network path
No authentication required for affected management interfaces or diagnostic functions
Device must be running a vulnerable firmware version

remotely exploitableno authentication requiredlow complexityaffects network infrastructure used in safety-critical systemsmultiple products have no fix planned

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (136)

124 with fix12 pending

ProductAffected VersionsFix Status

RUGGEDCOM RS416NCv2 V5.X< 5.9.05.9.0

RUGGEDCOM RS416P< 4.3.104.3.10

RUGGEDCOM RS416PNC< 4.3.104.3.10

RUGGEDCOM RS416PNCv2 V4.X< 4.3.104.3.10

RUGGEDCOM RS416PNCv2 V5.X< 5.9.05.9.0

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGFor products with no planned fix (RS900L, RS910L, RS920L/W, RS930L, RS969), implement network segmentation to restrict management access to the RUGGEDCOM switch from authorized engineering networks only

WORKAROUNDRestrict access to management ports and diagnostic interfaces using access control lists (ACLs) or firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade firmware to patched versions: V4.3.10 or later (V4 series) or V5.9.0 or later (V5 series)

Long-term hardening

0/1

HARDENINGMonitor network traffic to these devices for unauthorized queries or access attempts

CVEs (4)

CVE-2023-52237 CVE-2023-52238 CVE-2024-38278 CVE-2024-39675

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/508075cf-33fd-489a-befb-9266cba59d0d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.