Multiple Vulnerabilities in SCALANCE X Switch Devices

Plan Patch9.6SSA-310038Jul 12, 2022

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SCALANCE X series industrial Ethernet switches contain multiple vulnerabilities in their firmware affecting versions prior to V5.2.6 and V5.5.2. An unauthenticated attacker with network access to the switch can exploit heap and buffer overflow conditions (CWE-330, CWE-120) to reboot the device, cause denial-of-service, or potentially execute other unspecified impacts. No authentication is required to trigger the vulnerability.

What this means

What could happen

An attacker on the network could reboot or crash your SCALANCE switches, disrupting Ethernet connectivity and potentially halting plant communications. In the worst case, the buffer overflow could allow command execution on the switch itself, affecting all connected devices.

Who's at risk

Municipal utilities and water authorities operating SCALANCE X series industrial Ethernet switches for SCADA networks, real-time control systems, or plant automation. Particularly relevant for IRT (isochronous real-time) variants used in mission-critical process control. Any organization using these switches for PLC interconnection or process data distribution is at risk.

How it could be exploited

An attacker with network access to the affected switch sends a specially crafted packet designed to overflow a buffer or heap in the firmware. The device lacks authentication checks on this code path, so no credentials are required. This can reboot the device immediately or potentially achieve code execution depending on the specific overflow.

Prerequisites

Network access to the SCALANCE X switch (adjacent network segment or direct connection)
No authentication required

remotely exploitableno authentication requiredlow complexityaffects industrial network backbonecan cause operational downtime

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (29)

29 with fix

ProductAffected VersionsFix Status

SCALANCE X200-4P IRT< V5.5.25.5.2

SCALANCE X201-3P IRT< V5.5.25.5.2

SCALANCE X201-3P IRT PRO< V5.5.25.5.2

SCALANCE X202-2IRT< V5.5.25.5.2

SCALANCE X202-2P IRT< V5.5.25.5.2

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGImplement network segmentation to restrict which devices can reach your SCALANCE switches (e.g., allow only engineering workstations and controllers on critical VLANs)

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE X200, X201, X202, X204IRT, XF201, and XF202 models to firmware V5.5.2 or later

HOTFIXUpdate SCALANCE X204, X206, X208, X212, X216, X224, and XF204/XF206/XF208 models to firmware V5.2.6 or later

Long-term hardening

0/1

HARDENINGMonitor for unexpected switch reboots or network link state changes that could indicate exploitation attempts

CVEs (3)

CVE-2022-26647 CVE-2022-26648 CVE-2022-26649

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d90ea720-52cf-4ef2-a735-a794da466088