OTPulse
FeedAboutContact

Siemens SCALANCE W700 IEEE 802.11ax

Act Now9.8ICS-CERT ICSA-25-044-09Feb 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Siemens SCALANCE W700 IEEE 802.11ax wireless access points (WAB, WAM, WUB, WUM series) contain multiple critical vulnerabilities across firmware versions prior to 3.0.0. These include memory corruption issues (CWE-415, CWE-787, CWE-190, CWE-125, CWE-416, CWE-476), weak cryptography (CWE-326), race conditions (CWE-362), authentication bypass (CWE-304), arbitrary code execution (CWE-78), and other high-severity flaws. No authentication is required for exploitation, and the attack vector is network-based.

What this means
What could happen
An attacker on the network can execute arbitrary commands on these wireless access points without authentication, potentially compromising the entire wireless network that connects to your plant floor devices. This could allow them to intercept, modify, or disrupt communications to your PLCs, RTUs, and other OT equipment.
Who's at risk
This affects water and electric utilities, and other process industries that use Siemens SCALANCE W700 series wireless access points to connect field devices (RTUs, sensors, wireless modules on PLCs) to control networks. Facilities using WAB762-1, WAM763-1, WAM766-1, WUB762-1, or WUM series access points are at risk. Organizations with wireless networks in production environments are most critical.
How it could be exploited
An attacker can reach the wireless access point from the network (directly or via the air) and send malicious network traffic that exploits one or more of the memory corruption, authentication bypass, or code injection vulnerabilities to gain command execution on the device. Once in control of the access point, they can monitor, intercept, or inject commands into any wireless traffic connecting through it to your industrial devices.
Prerequisites
  • Network access to the SCALANCE W700 device (wired or wireless)
  • No valid credentials required for exploitation
  • Device must be running firmware version prior to 3.0.0
Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (88.5%)Affects critical network infrastructureMultiple vulnerabilities (35+ CWEs)Impacts wireless connectivity to plant floor devices
Exploitability
High exploit probability (EPSS 88.5%)
Affected products (17)
17 with fix
ProductAffected VersionsFix Status
SCALANCE WAB762-1<V3.0.03.0.0
SCALANCE WAM763-1<V3.0.03.0.0
SCALANCE WAM763-1 (ME)<V3.0.03.0.0
SCALANCE WAM763-1 (US)<V3.0.03.0.0
SCALANCE WAM766-1<V3.0.03.0.0
Remediation & Mitigation
0/5
Do now
0/3
HOTFIXUpdate all affected SCALANCE W-700 devices to firmware version 3.0.0 or later
WORKAROUNDDisable wireless network access and revert to wired-only network connectivity if the device supports it, until firmware can be updated
HARDENINGRestrict network access to the SCALANCE W700 devices with firewall rules to permit only authorized management and trusted networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGIsolate the wireless network from the business network; do not allow direct connectivity between industrial wireless access points and corporate systems
Long-term hardening
0/1
HARDENINGImplement network segmentation so wireless networks containing OT devices are isolated behind a dedicated firewall
CVEs (72)
CVE-2022-2588CVE-2022-2663CVE-2022-3524CVE-2022-4304CVE-2022-4450CVE-2022-39188CVE-2022-39842CVE-2022-40303CVE-2022-40304CVE-2022-43750CVE-2022-47069CVE-2022-47929CVE-2023-0045CVE-2023-0215CVE-2023-0286CVE-2023-0464CVE-2023-0465CVE-2023-0466CVE-2023-0590CVE-2023-1073CVE-2023-1074CVE-2023-1118CVE-2023-1206CVE-2023-1380CVE-2023-1670CVE-2023-2194CVE-2023-3446CVE-2023-3611CVE-2023-4623CVE-2023-4921CVE-2023-5363CVE-2023-5678CVE-2023-5717CVE-2023-6129CVE-2023-6237CVE-2023-7250CVE-2023-23454CVE-2023-23455CVE-2023-23559CVE-2023-26545CVE-2023-28484CVE-2023-28578CVE-2023-29469CVE-2023-31085CVE-2023-31315CVE-2023-35001CVE-2023-39192CVE-2023-39193CVE-2023-42754CVE-2023-43522CVE-2023-44320CVE-2023-44322CVE-2023-45853CVE-2023-45863CVE-2023-48795CVE-2023-51384CVE-2023-51385CVE-2024-0727CVE-2024-2511CVE-2024-4603CVE-2024-4741CVE-2024-5535CVE-2024-6119CVE-2024-9143CVE-2024-23814CVE-2024-26306CVE-2024-33016CVE-2024-50560CVE-2024-50561CVE-2024-50572CVE-2025-24499CVE-2025-24532
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/8fba238d-1009-46d2-8cd0-194d6c519ec0
Siemens SCALANCE W700 IEEE 802.11ax | CVSS 9.8 - OTPulse