Siemens SCALANCE W700 IEEE 802.11ax
Act NowCVSS 9.8ICS-CERT ICSA-25-044-09Feb 11, 2025
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SCALANCE W700 IEEE 802.11ax wireless access points contain multiple critical vulnerabilities including weak authentication, poor encryption, insecure deserialization, memory corruption, and unsafe input handling. These flaws allow remote attackers without credentials to execute arbitrary code, bypass security controls, or disrupt wireless communications. All models of SCALANCE WAB, WAM, WUB, and WUM series with firmware earlier than version 3.0.0 are affected. Siemens has released firmware version 3.0.0 or later to remediate these issues.
What this means
What could happen
An attacker with network access to these wireless access points could remotely execute arbitrary code or bypass authentication, potentially disrupting communications to critical field devices or taking control of the wireless network infrastructure used to manage industrial operations.
Who's at risk
Water utilities and municipal electric systems using Siemens SCALANCE W700 IEEE 802.11ax wireless access points for field device communications or engineering workstation connections. This includes SCALANCE WAB, WAM, WUB, and WUM series models deployed as wireless infrastructure for SCADA, HMI, or remote PLC access.
How it could be exploited
An attacker on the same network (or routable to it) could send a crafted request or exploit weak authentication/encryption mechanisms in the 802.11ax wireless firmware to execute commands on the access point. This could allow them to intercept, modify, or block communications between engineering workstations, PLCs, RTUs, and other control devices relying on the wireless network.
Prerequisites
- Network connectivity to the SCALANCE W700 device (wired or wireless)
- No authentication required for the majority of the identified vulnerabilities
remotely exploitableno authentication requiredlow complexityhigh EPSS score (88.5%)affects network infrastructure critical to operations
Exploitability
Likely to be exploited — EPSS score 88.4%
Public Proof-of-Concept (PoC) on GitHub (10 repositories)
Affected products (17)
17 with fix
ProductAffected VersionsFix Status
SCALANCE WAB762-1<V3.0.03.0.0
SCALANCE WAM763-1<V3.0.03.0.0
SCALANCE WAM763-1 (ME)<V3.0.03.0.0
SCALANCE WAM763-1 (US)<V3.0.03.0.0
SCALANCE WAM766-1<V3.0.03.0.0
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to SCALANCE W700 devices using firewall rules to block direct access from untrusted networks
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all SCALANCE W700 series devices to firmware version 3.0.0 or later
Long-term hardening
0/2HARDENINGIf remote management is required, implement VPN access to reach the devices instead of direct network exposure
HARDENINGIsolate the wireless network infrastructure (SCALANCE W700 devices) from business networks using separate VLAN segmentation
CVEs (72)
CVE-2022-40303CVE-2022-40304CVE-2023-0215CVE-2023-0465CVE-2023-28484CVE-2023-29469CVE-2024-5535CVE-2023-5678CVE-2023-51385CVE-2023-45853CVE-2022-2588CVE-2022-2663CVE-2022-3524CVE-2022-4304CVE-2022-4450CVE-2022-39188CVE-2022-39842CVE-2022-43750CVE-2022-47069CVE-2022-47929CVE-2023-0045CVE-2023-0286CVE-2023-0464CVE-2023-0466CVE-2023-0590CVE-2023-1073CVE-2023-1074CVE-2023-1118CVE-2023-1206CVE-2023-1380CVE-2023-1670CVE-2023-2194CVE-2023-3446CVE-2023-3611CVE-2023-4623CVE-2023-4921CVE-2023-5363CVE-2023-5717CVE-2023-6129CVE-2023-6237CVE-2023-7250CVE-2023-23454CVE-2023-23455CVE-2023-23559CVE-2023-26545CVE-2023-28578CVE-2023-31085CVE-2023-31315CVE-2023-35001CVE-2023-39192CVE-2023-39193CVE-2023-42754CVE-2023-43522CVE-2023-44320CVE-2023-44322CVE-2023-45863CVE-2023-48795CVE-2023-51384CVE-2024-0727CVE-2024-2511CVE-2024-4603CVE-2024-4741CVE-2024-6119CVE-2024-9143CVE-2024-23814CVE-2024-26306CVE-2024-33016CVE-2024-50560CVE-2024-50561CVE-2024-50572CVE-2025-24499CVE-2025-24532
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8fba238d-1009-46d2-8cd0-194d6c519ec0Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.