Multiple Vulnerabilities in SCALANCE W-700 IEEE 802.11ax Family

Plan Patch7.2SSA-690517Jun 11, 2024

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

SCALANCE W-700 IEEE 802.11ax family wireless access points and bridge devices contain multiple vulnerabilities in cryptographic functions and wireless protocol handling. Affected models include WAB762-1, WAM763-1, WAM766-1, WUB762-1, WUM763-1, and WUM766-1 (with regional variants ME, US, USA, and EEC). Vulnerabilities include weak cryptographic key generation, improper key exchange mechanisms, and protocol-level weaknesses. Devices below firmware version 3.0.0 are affected; some product lines have no fix available.

What this means

What could happen

An attacker within wireless range could intercept or forge encrypted communications on the network, potentially disrupting wireless connectivity for control systems or allowing unauthorized access to connected industrial devices. For devices with no available fix, this vulnerability remains a persistent risk to network confidentiality and integrity.

Who's at risk

Water and electric utilities relying on SCALANCE W-700 wireless access points and bridges for OT network connectivity. This includes any deployment using WAB, WAM, WUB, or WUM model wireless devices for connecting portable engineering devices, remote sensors, or temporary monitoring equipment to industrial networks. Regional variants (ME, US, USA, EEC) are equally affected.

How it could be exploited

An attacker within range of the wireless network could perform cryptanalysis on the weak key generation or key exchange process, enabling them to decrypt traffic or forge legitimate-looking packets. This would allow them to impersonate authorized devices, intercept unencrypted control commands, or inject malicious packets onto the network segment served by the wireless access point or bridge.

Prerequisites

Attacker must be within wireless range of the affected device
Device must be operating on firmware version below 3.0.0 (or any version for models with no fix)
Standard wireless network access required; no special credentials needed to begin attack

Remotely exploitable from wireless rangeNo authentication required to exploit cryptographic weaknessAffects confidentiality and integrity of all wireless trafficMultiple products have no vendor fix available (end-of-life vulnerability)Low attack complexity

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (34)

34 with fix

ProductAffected VersionsFix Status

SCALANCE WAB762-1< V3.0.03.0.0

SCALANCE WAM763-1< V3.0.03.0.0

SCALANCE WAM763-1 (ME)< V3.0.03.0.0

SCALANCE WAB762-1All versions3.0.0

SCALANCE WAM763-1All versions3.0.0

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGFor devices with no fix available (listed as 'All versions - No fix available'), implement network segmentation to isolate the wireless network from critical OT systems; restrict which devices can connect to or receive traffic from the wireless access point

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all SCALANCE W-700 devices to firmware version 3.0.0 or later if your model is listed as 'Fixed in: 3.0.0'

Long-term hardening

0/1

HARDENINGFor devices with no fix available, replace end-of-life models with current SCALANCE W-700 devices on firmware 3.0.0 or later during the next equipment refresh cycle

CVEs (4)

CVE-2023-44317 CVE-2023-44318 CVE-2023-44319 CVE-2023-44374

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a25eb899-2ab2-45e2-bfc9-4ed350bf6ce2