Siemens SCALANCE W700

Act Now9.1ICS-CERT ICSA-24-256-13Sep 10, 2024

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A command injection vulnerability exists in Siemens SCALANCE W700 series wireless access points and bridges (models WAB762-1, WAM763-1, WAM766-1, WUB762-1, WUM763-1, WUM766-1 and variants) in firmware versions prior to 2.4.0. The vulnerability is caused by insufficient input validation in a management function. An attacker with administrative credentials could inject malicious commands through the device interface, potentially allowing unauthorized modification of device settings or execution of arbitrary commands.

What this means

What could happen

An attacker with administrative credentials could inject malicious commands or alter the configuration of Siemens SCALANCE wireless access point and bridge devices, potentially disrupting network connectivity for control systems or enabling lateral movement into the industrial network.

Who's at risk

Water utilities and electric utilities that use Siemens SCALANCE wireless access points (WAB, WAM, WUB, WUM) for connecting remote RTUs, PLCs, or HMIs to their control networks. Affected devices are wired and wireless bridges and access points used in industrial wireless deployments, particularly in remote substation or facility monitoring applications.

How it could be exploited

An attacker with valid administrative credentials can send crafted input to the device's web interface or management function that is not properly validated, allowing command injection. The attacker can then modify device settings, disable security features, or execute arbitrary commands on the wireless access point, which could isolate critical control system devices from the network or intercept traffic.

Prerequisites

Administrative credentials for the affected device
Network access to the device's management interface (web UI or SSH)
Knowledge of the injection vulnerability mechanism

Remotely exploitable via network management interfaceRequires administrative credentials (not unauthenticated)Low attack complexityCan affect network availability and integrity of control system communicationsVendor patch available

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (16)

16 with fix

ProductAffected VersionsFix Status

SCALANCE WAB762-1<V2.4.02.4.0

SCALANCE WAM763-1<V2.4.02.4.0

SCALANCE WAM763-1 (ME)<V2.4.02.4.0

SCALANCE WAM763-1 (US)<V2.4.02.4.0

SCALANCE WAM766-1 (EU)<V2.4.02.4.0

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to the device management interface using firewall rules—allow only authorized engineering workstations by IP address

HARDENINGDisable remote management features if not required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected SCALANCE W700 series devices to firmware version 2.4.0 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate wireless access points and bridges from the business network and internet

HARDENINGUse VPN for any required remote management access instead of direct internet exposure

CVEs (1)

CVE-2023-44373

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c450cd7a-0639-41e4-b634-5ca3891fdbaa