Siemens RUGGEDCOM APE 1808

Act Now9.1ICS-CERT ICSA-24-193-11Jul 9, 2024

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in the Siemens RUGGEDCOM APE1808 derive from upstream Palo Alto Networks PAN-OS weaknesses in SSH authentication and encryption handling (including CWE-222 incorrect privilege assignment, CWE-924 improper error handling, CWE-20 input validation, CWE-79 cross-site scripting, CWE-787 buffer overflow, CWE-400 resource exhaustion, CWE-77 command injection, and CWE-754 improper exception handling). The device runs PAN-OS software and is vulnerable to SSH cipher bypass and other authentication/authorization flaws. All versions are affected. No vendor patch is currently available, but Siemens recommends SSH profile configuration workarounds and general network isolation measures.

What this means

What could happen

An attacker with high-level administrative credentials could exploit Palo Alto Networks vulnerabilities inherited in the Siemens RUGGEDCOM APE1808 to bypass SSH authentication security, potentially gaining remote command execution on the device and altering network routing or security policies in your industrial network.

Who's at risk

This vulnerability affects water utilities, electric utilities, and other critical infrastructure operators using the Siemens RUGGEDCOM APE1808 Ethernet switch/router in industrial networks for process control communications, remote access gateways, or security appliance roles.

How it could be exploited

An attacker with administrative credentials would need to exploit SSH cipher weaknesses in PAN-OS inherited by the device, using custom SSH packets to bypass encryption and authentication algorithms. This requires network reachability to the device's SSH port and valid high-privileged credentials to access the management interface.

Prerequisites

Network access to SSH management port (typically port 22)
Valid administrative/high-privilege credentials for device management interface
Knowledge of upstream PAN-OS SSH cipher weaknesses

remotely exploitablehigh EPSS score (65.4%)no patch availablerequires administrative credentials (mitigating factor)high attack complexity (mitigating factor)

Exploitability

High exploit probability (EPSS 65.4%)

Affected products (1)

ProductAffected VersionsFix Status

RUGGEDCOM APE1808All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDConfigure SSH profile to contain at least one cipher and at least one MAC algorithm, removing support for CHACHA20-POLY1305 and all Encrypt-then-MAC algorithms (ciphers with -etm suffix)

HARDENINGRestrict network access to the RUGGEDCOM APE1808 management interface using firewall rules; do not expose SSH or management ports to untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor Siemens security advisories (SSA-364175) and Palo Alto Networks security notifications for patch availability

Mitigations - no patch available

0/2

RUGGEDCOM APE1808 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the RUGGEDCOM APE1808 and its network segment from the business network using a firewall or air-gap

HARDENINGIf remote access to the device is required, use VPN with the most current software version available, and ensure VPN endpoints are similarly hardened

CVEs (9)

CVE-2023-48795 CVE-2024-3596 CVE-2024-5913 CVE-2024-5920 CVE-2024-9468 CVE-2024-9471 CVE-2025-0114 CVE-2025-4231 CVE-2025-4619

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0cb62c7a-0ac7-4344-9396-9f141eb2baaa