Third-Party Component Vulnerabilities in SCALANCE W-700 IEEE 802.11ax devices before V2.0

Plan Patch8.1SSA-565386Mar 14, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple vulnerabilities in third-party components of SCALANCE W-700 IEEE 802.11ax devices before V2.0 could allow remote attackers without authentication to cause denial of service, leak sensitive data, or corrupt system integrity. Affected models include WAM763-1, WAM766-1 (EU and US variants), WAM766-1 EEC (EU and US), WUM763-1, and WUM766-1 (EU and US). Siemens recommends updating to V2.0 or later.

What this means

What could happen

An attacker on the network could cause the wireless access point to crash (stopping wireless connectivity), leak sensitive data transmitted over the network, or modify network traffic without detection. This could disrupt communication between your PLCs, HMIs, and engineering workstations.

Who's at risk

Water utilities and electric utilities using Siemens SCALANCE W-700 IEEE 802.11ax wireless access points (models WAM763-1, WAM766-1, WUM763-1, or WUM766-1) in operational networks. These devices are typically used to connect mobile engineering workstations, remote I/O devices, or field equipment to the main control network.

How it could be exploited

An attacker with network access (either directly connected to the wireless network or on the same network segment) can exploit vulnerabilities in the third-party components running on the access point. The attack does not require authentication or user interaction, and the attacker could send specially crafted packets to trigger memory corruption, buffer overflow, or information disclosure flaws.

Prerequisites

Network access to the SCALANCE W-700 device (wireless or wired)
Device running firmware version before V2.0
No authentication required

Remotely exploitableNo authentication requiredHigh CVSS (8.1)Affects network connectivity and data integrityLow exploit probability but third-party component vulnerabilities are often actively exploited after disclosure

Exploitability

Moderate exploit probability (EPSS 2.9%)

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

SCALANCE WAM763-1< V2.02.0

SCALANCE WAM766-1 (EU)< V2.02.0

SCALANCE WAM766-1 (US)< V2.02.0

SCALANCE WAM766-1 EEC (EU)< V2.02.0

SCALANCE WAM766-1 EEC (US)< V2.02.0

SCALANCE WUM763-1< V2.02.0

SCALANCE WUM766-1 (EU)< V2.02.0

SCALANCE WUM766-1 (US)< V2.02.0

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict network access to the management interface of the SCALANCE W-700 devices using firewall rules or network segmentation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected SCALANCE W-700 IEEE 802.11ax devices to firmware version V2.0 or later

Long-term hardening

0/1

HARDENINGIsolate wireless and wired networks using VLANs or network segmentation to limit attacker reach if the device is compromised

CVEs (17)

CVE-2018-12886 CVE-2018-25032 CVE-2021-42373 CVE-2021-42374 CVE-2021-42375 CVE-2021-42376 CVE-2021-42377 CVE-2021-42378 CVE-2021-42379 CVE-2021-42380 CVE-2021-42381 CVE-2021-42382 CVE-2021-42383 CVE-2021-42384 CVE-2021-42385 CVE-2021-42386 CVE-2022-23395

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1660df8f-2e57-48d2-8698-e7c797b9dbf2