Several Buffer-Overflow Vulnerabilities in Web Server of SCALANCE X-200

Act Now9.8SSA-187092Apr 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SCALANCE X-200 series managed switches contain multiple buffer overflow vulnerabilities in the web server. These vulnerabilities exist in the HTTP request handling code (CWE-122, CWE-121) and affect version 5.5.0 and earlier (IRT variants) and version 5.2.4 and earlier (standard variants). An attacker could exploit these to remotely execute code on the device. Siemens has released firmware updates addressing these issues.

What this means

What could happen

An attacker on your network could exploit buffer overflow vulnerabilities in the web interface of SCALANCE switches to remotely execute code and gain control of the device, potentially disrupting network connectivity, breaking redundancy, or manipulating industrial traffic.

Who's at risk

Network and industrial automation engineers who operate SCALANCE X-200 series managed switches (industrial Ethernet switches from Siemens used in automation networks, manufacturing, water treatment, electric utilities, and other critical infrastructure). Anyone relying on these switches for network connectivity, redundancy, or controlled industrial traffic.

How it could be exploited

An attacker sends a specially crafted HTTP request to the web server (port 80/443) running on the SCALANCE switch. The malformed input causes a buffer overflow in memory, allowing the attacker to overwrite the program counter or inject shellcode and execute arbitrary commands on the switch with the same privileges as the web service.

Prerequisites

Network access to the SCALANCE switch web server (TCP port 80 or 443)
No authentication required—the web server accepts the malicious request without credentials

Remotely exploitableNo authentication requiredLow complexity attackCVSS 9.8 (critical)Unauthenticated remote code execution potentialAffects network infrastructure device

Exploitability

Moderate exploit probability (EPSS 1.7%)

Affected products (29)

29 with fix

ProductAffected VersionsFix Status

SCALANCE X200-4P IRT< 5.5.15.5.1

SCALANCE X201-3P IRT< 5.5.15.5.1

SCALANCE X201-3P IRT PRO< 5.5.15.5.1

SCALANCE X202-2 IRT< 5.5.15.5.1

SCALANCE X202-2P IRT (incl. SIPLUS NET variant)< 5.5.15.5.1

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to the SCALANCE switch web server to authorized management workstations only using firewall rules or access control lists on upstream devices

WORKAROUNDDisable the web management interface (HTTP/HTTPS) if not actively used, using the device configuration

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE X200 IRT series (X200-4P, X201-3P, X201-3P PRO, X202-2, X202-2P, X202-2P PRO, X204, X204 PRO, XF201-3P IRT, XF202-2P IRT, XF204 IRT, XF204-2BA IRT) to firmware version 5.5.1 or later

HOTFIXUpdate remaining SCALANCE X-200 models (X204-2, X204-2FM, X204-2LD, X204-2LD TS, X204-2TS, X206-1, X206-1LD, X208, X208PRO, X212-2, X212-2LD, X216, X224, XF204, XF204-2, XF206-1, XF208) to firmware version 5.2.5 or later

Long-term hardening

0/1

HARDENINGSegment industrial network so SCALANCE switches are not directly reachable from untrusted networks (corporate network, internet)

CVEs (2)

CVE-2021-25668 CVE-2021-25669

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/acf6f305-618a-42b8-bc71-08e8ef39a58f