Siemens SCALANCE and RUGGEDCOM

MonitorCVSS 6.5ICS-CERT ICSA-25-162-04Jun 10, 2025

SiemensManufacturing

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Industrial Communication Devices based on SINEC OS before V3.2 contain authorization bypass vulnerabilities (CWE-863, CWE-362) that allow an attacker to circumvent authorization checks and perform actions exceeding "guest" role permissions. Affected products include RUGGEDCOM RST2428P and SCALANCE XCH, XCM, XRH, and XRM series network switches and managed devices.

What this means

What could happen

An attacker with valid credentials could bypass authorization controls on industrial network switches and perform unauthorized administrative actions, potentially disrupting network connectivity for critical control systems and field devices.

Who's at risk

Operators of manufacturing facilities, water utilities, and power systems using Siemens SCALANCE and RUGGEDCOM industrial network switches should be concerned. These devices are the backbone of factory and utility networks, connecting PLCs, RTUs, SCADA servers, and safety systems. An authorization bypass could allow unauthorized changes to network routing, port disabling, or traffic interception affecting production continuity.

How it could be exploited

An attacker with valid "guest" role credentials could send specially crafted requests to the affected device's management interface to bypass authorization checks and gain higher-level permissions, allowing them to modify network configurations, disable ports, or interrupt traffic to connected control systems.

Prerequisites

Valid credentials for at least guest-level access to the device management interface
Network access to the device's management port
Device running SINEC OS version before 3.2

Remotely exploitable over network management interfaceRequires valid credentials but affects privilege escalationLow complexity attack—bypasses standard authorization checksNo authentication required once guest credentials obtainedAffects network infrastructure supporting safety and production systems

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (15)

15 with fix

ProductAffected VersionsFix Status

RUGGEDCOM RST2428P (6GK6242-6PA00)< 3.23.2

SCALANCE XCH328< 3.23.2

SCALANCE XCM324< 3.23.2

SCALANCE XCM328< 3.23.2

SCALANCE XCM332< 3.23.2

SCALANCE XRH334 (24 V DC, 8xFO, CC)< 3.23.2

SCALANCE XRM334 (230 V AC, 12xFO)< 3.23.2

SCALANCE XRM334 (230 V AC, 8xFO)< 3.23.2

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to device management interfaces using firewall rules—only allow administrative access from authorized engineering workstations and jump servers

HARDENINGEnforce strong, unique credentials for all device management accounts and disable default credentials

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RUGGEDCOM RST2428P to firmware version 3.2 or later

HOTFIXUpdate all SCALANCE XCH, XCM, XRH, and XRM series devices to SINEC OS version 3.2 or later

Long-term hardening

0/1

HARDENINGDisable remote management access if not required for operations; configure only local console management

CVEs (3)

CVE-2025-40567 CVE-2025-40568 CVE-2025-40569

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/017c2baa-9003-4745-9b0d-f45144200264

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.