Siemens SCALANCE and RUGGEDCOM

Monitor6.5ICS-CERT ICSA-25-162-04Jun 10, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple Industrial Communication Devices based on SINEC OS before V3.2 contain authorization bypass vulnerabilities (CWE-863: Improper Authorization, CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization). These flaws allow an attacker with guest-level credentials to circumvent access checks and perform actions that exceed guest permissions on RUGGEDCOM RST2428P and SCALANCE switches (XCH, XCM, XRM, XRH series). Affected devices include models running firmware versions before 3.2. Siemens has released firmware version 3.2 or later as a fix and recommends updating to the latest version.

What this means

What could happen

An attacker with valid guest-level credentials could bypass authorization checks and escalate privileges on managed switches, allowing them to reconfigure network ports, modify VLAN settings, or disrupt communications between control systems and sensors.

Who's at risk

Manufacturers and industrial plants using Siemens SCALANCE managed industrial switches (XC, XCM, XCH, XR, XRH, XRM series) and RUGGEDCOM RST2428P devices for plant network infrastructure. These switches are critical to communications between control systems, sensors, and field equipment in manufacturing, water, and utility environments.

How it could be exploited

An attacker with guest-level login credentials can connect to the web management interface of a vulnerable switch and trigger authorization bypass logic in the access control checks (CWE-863, CWE-362). This allows execution of privileged actions beyond the guest role without needing elevated credentials.

Prerequisites

Valid guest-level credentials for the device web interface or management access
Network access to the device management IP address and port (typically 80/443 or 502 for industrial protocols)
Device running SINEC OS firmware version before 3.2

Remotely exploitableRequires valid credentials but guest-level access is commonLow complexity exploitationAffects network infrastructure (switches) that are foundational to plant operationsMedium CVSS (6.5)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (15)

15 with fix

ProductAffected VersionsFix Status

RUGGEDCOM RST2428P (6GK6242-6PA00)< 3.23.2

SCALANCE XCH328< 3.23.2

SCALANCE XCM324< 3.23.2

SCALANCE XCM328< 3.23.2

SCALANCE XCM332< 3.23.2

SCALANCE XRH334 (24 V DC, 8xFO, CC)< 3.23.2

SCALANCE XRM334 (230 V AC, 12xFO)< 3.23.2

SCALANCE XRM334 (230 V AC, 8xFO)< 3.23.2

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDRestrict network access to device management interfaces using firewall rules - allow only from authorized engineering workstations and control system networks

HARDENINGDisable or restrict guest account access on all affected devices if not required for operations

HARDENINGChange default and guest-level account credentials to strong, unique values

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected SCALANCE and RUGGEDCOM devices to firmware version 3.2 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate switches from untrusted networks and the Internet

CVEs (3)

CVE-2025-40567 CVE-2025-40568 CVE-2025-40569

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/017c2baa-9003-4745-9b0d-f45144200264