Multiple Vulnerabilities in SCALANCE LPE9403 before V2.1

Act Now9.9SSA-325383May 9, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

SCALANCE LPE9403 is affected by multiple vulnerabilities (CWE-77, CWE-378, CWE-22, CWE-122) that could allow an attacker with low privileges to impact confidentiality, integrity, and availability of the device. The vulnerabilities include improper command handling, improper restriction of rendered UI layers, path traversal, and buffer overflow conditions.

What this means

What could happen

An attacker with network access and low privileges could execute arbitrary commands, bypass authentication controls, access sensitive files, or crash the SCALANCE LPE9403, disrupting network switching and potentially isolating critical industrial equipment from the control network.

Who's at risk

Municipal water authorities, electric utilities, and other critical infrastructure operators who use Siemens SCALANCE LPE9403 managed switches for industrial network segregation. This device is commonly deployed at the edge of control networks to provide secure switching and VPN capabilities. Affected organizations should prioritize assessment if the LPE9403 is used to isolate SCADA networks, RTU networks, or other safety-critical segments.

How it could be exploited

An attacker on the network with low-level credentials (e.g., a basic operator account) could exploit command injection or buffer overflow vulnerabilities in the LPE9403's management interface to execute arbitrary commands. These commands could then be used to modify network routing, access configuration files containing credentials, or crash the device entirely.

Prerequisites

Network access to the SCALANCE LPE9403 management interface
Low-privilege account credentials (operator-level or equivalent)
Access to port 80/443 or SSH management port

remotely exploitablelow complexityrequires low privilegeshigh CVSS score (9.9)affects network infrastructure critical to plant operations

Exploitability

Moderate exploit probability (EPSS 1.0%)

Affected products (1)

ProductAffected VersionsFix Status

SCALANCE LPE9403< V2.12.1

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE LPE9403 to firmware version V2.1 or later

CVEs (4)

CVE-2023-27407 CVE-2023-27408 CVE-2023-27409 CVE-2023-27410

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c73f380f-f6d4-4d0c-859a-6919d80d2e8b