Improper OpenVPN Credential Validation Vulnerability in SCALANCE M-800 and SC-600 Families
Low Risk3.7SSA-280834Mar 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
SCALANCE M-800 and SC-600 series industrial routers contain improper input validation in OpenVPN authentication. Affected devices are RUGGEDCOM RM1224 LTE (EU/NAM), SCALANCE M804PB, M812-1, M816-1, M826-2, M874-2/3, M876-3/4, MUB852-1, MUM853-1, MUM856-1, and S615 routers. The vulnerability allows an attacker to bypass credential validation during OpenVPN authentication, potentially gaining unauthorized VPN access without valid credentials. Siemens has released firmware 8.2.1 or later for most products. The SCALANCE SC-600 family is not receiving a fix.
What this means
What could happen
An attacker could bypass OpenVPN credential validation on affected routers, potentially gaining unauthorized access to the VPN tunnel and the networks behind it. This could allow an attacker to intercept, modify, or disrupt communications between remote sites and central control facilities.
Who's at risk
Water utilities and industrial facilities relying on Siemens SCALANCE M-800 and SC-600 industrial routers for remote site connectivity and VPN access. This affects any organization using these devices to create secure tunnel connections between substations, water treatment plants, or other remote equipment and central control facilities.
How it could be exploited
An attacker would need to send crafted OpenVPN authentication requests to the router's VPN endpoint. Due to improper input validation, the router may accept invalid or manipulated credentials, allowing the attacker to establish an unauthorized VPN connection to the device and potentially reach the networks behind it.
Prerequisites
- Network access to the OpenVPN endpoint on the router (typically port 443 or 1194)
- The OpenVPN VPN service must be enabled on the router
- No valid OpenVPN credentials required due to validation bypass
remotely exploitableno authentication required due to validation bypasslow complexity attackaffects remote access and communications infrastructure
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (27)
26 with fix1 EOL
ProductAffected VersionsFix Status
SCALANCE SC-600 familyAll versionsNo fix (EOL)
RUGGEDCOM RM1224 LTE(4G) EU< V8.2.18.2.1
RUGGEDCOM RM1224 LTE(4G) NAM< V8.2.18.2.1
SCALANCE M804PB< V8.2.18.2.1
SCALANCE M812-1 ADSL-Router family< V8.2.18.2.1
Remediation & Mitigation
0/3
Do now
0/1SCALANCE SC-600 family
WORKAROUNDFor SCALANCE SC-600 family devices where no fix is available, implement network-level access controls to restrict access to the OpenVPN endpoint (e.g., firewall rules limiting VPN connections to trusted source networks)
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
SCALANCE M804PB
HOTFIXUpdate RUGGEDCOM RM1224 LTE, SCALANCE M804PB, M812-1, M816-1, M826-2, M874, M876, MUB852-1, MUM853-1, MUM856-1, and S615 products to firmware version 8.2.1 or later
Mitigations - no patch available
0/1SCALANCE SC-600 family has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate affected routers on a separate management network or VLAN to limit exposure if VPN credentials are compromised
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8ba51e33-1395-4dd6-9274-2a5529fb65e5