Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products

Plan Patch8.8SSA-552702Oct 11, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

The web interface password change function in SCALANCE and RUGGEDCOM products does not properly validate user permissions. A low-privileged user can bypass authorization checks to change administrator passwords, allowing privilege escalation to full administrative control of the device. The vulnerability affects dozens of switch, router, and wireless access point models across multiple firmware versions. Siemens has released patches for most product families (firmware 4.4, 6.6, 7.1.2, 3.0, and 2.0 depending on product line), but no fix is available for SCALANCE W-series wireless access points and certain legacy models.

What this means

What could happen

A low-privileged user or attacker with web interface access can escalate to administrative privileges by changing the password of a higher-privileged account, potentially gaining full control of network switches and routers used in critical infrastructure networks.

Who's at risk

Network operators managing Siemens SCALANCE managed switches, industrial routers, and wireless access points in utility and process control networks should prioritize patching. This affects devices used for network connectivity in electrical substations, water treatment facilities, and manufacturing plants where network access is critical to operational control.

How it could be exploited

An attacker with low-level user credentials (or any web interface access) navigates to the password change function in the web interface and bypasses authorization checks to change an administrator's password. Once the administrator account is compromised, the attacker has full control over the device's configuration and operation.

Prerequisites

Access to the web interface (HTTP/HTTPS) on the affected device
Low-privileged user credentials OR guest/unauthenticated access (depending on configuration)
Device must be running a vulnerable version of firmware

remotely exploitablelow complexityaffects network infrastructure deviceslarge number of affected productsno fix available for SCALANCE W-series wireless devices

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (155)

127 with fix28 pending

ProductAffected VersionsFix Status

SCALANCE XC206-2G PoE EEC (54 V DC)< V4.44.4

SCALANCE XC206-2SFP< V4.44.4

SCALANCE XC206-2SFP EEC< V4.44.4

SCALANCE XC206-2SFP G< V4.44.4

SCALANCE XC206-2SFP G (EIP DEF.)< V4.44.4

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDFor SCALANCE W-series wireless access points with no fix available, restrict web interface access to trusted management networks using firewall rules or network segmentation

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE XC/XB/XR/XM/XF/XP switches and SIPLUS NET SCALANCE products to firmware version 4.4 or later

HOTFIXUpdate RUGGEDCOM RM1224, SCALANCE M-series mobile routers, S615, and MUM-series devices to firmware version 7.1.2 or later

HOTFIXUpdate SCALANCE SC-series switches to firmware version 3.0 or later

HOTFIXUpdate SCALANCE WAM/WUM wireless devices to firmware version 2.0 or later

Long-term hardening

0/3

HARDENINGFor SCALANCE W-series products without available patches, enforce strong access controls and regularly audit user accounts and permissions

HARDENINGSegment OT network from corporate network and limit web interface access to authorized management stations only

HARDENINGReview and disable unnecessary user accounts on all affected devices

CVEs (1)

CVE-2022-31765

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f2972faf-36b5-46b9-a72b-e679c73dc753