Multiple Vulnerabilities in SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG Family before V4.5

Act Now9.1SSA-699386Nov 14, 2023

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

SCALANCE XB-200, XC-200, XP-200, XF-200BA, and XR-300WG industrial Ethernet switch families before firmware version V4.5 contain multiple vulnerabilities including buffer overflows (CWE-415, CWE-425), null pointer dereferences (CWE-476), weak cryptography (CWE-326), and insufficient input validation (CWE-74, CWE-252). These issues affect management plane security, configuration protection, and network stability. An attacker with network access to the management interface or protocol handlers could read sensitive data, alter device configuration, or disrupt network availability. Siemens has released firmware V4.5 or later as the corrected version for all affected product models.

What this means

What could happen

An attacker with high-level network access could exploit multiple vulnerabilities in these industrial network switches to read sensitive data, bypass security controls, or disrupt network operations. This could lead to loss of visibility into critical infrastructure, unauthorized configuration changes, or denial of service across connected control devices.

Who's at risk

Water authorities and electric utilities using Siemens SCALANCE industrial Ethernet switches for network backbone, DCS/SCADA connectivity, or field device communications. Affects the entire XB-200 managed switch line, XC-200 series, XP-200 series, XF-200BA firewall appliances, and XR-300WG wireless/wired routers—all commonly used to interconnect PLCs, I/O modules, and remote terminal units in utility control networks.

How it could be exploited

An attacker with network access to the switch management interface or control plane could exploit multiple weaknesses including insufficient cryptographic protections, buffer overflows, and null pointer dereferences to either extract sensitive configuration data or execute unauthorized commands on the switch. The switch would then become a point of compromise for the entire network segment connected to it.

Prerequisites

Network access to the SCALANCE switch management interface (port 80/443 or Ethernet/IP protocol)
Administrative or high-privilege credentials for management access
Physical or logical access to the industrial network where the switch resides

High EPSS score (92%)Multiple vulnerability types affecting confidentiality, integrity, and availabilityAffects critical network infrastructureRequires high-privilege access but is remotely exploitable over the networkLarge number of affected product variants across essential switch product lines

Exploitability

High exploit probability (EPSS 92.0%)

Affected products (69)

69 with fix

ProductAffected VersionsFix Status

SCALANCE XB205-3 (SC, PN)<V4.54.5

SCALANCE XB205-3 (ST, E/IP)<V4.54.5

SCALANCE XB205-3 (ST, PN)<V4.54.5

SCALANCE XB205-3LD (SC, E/IP)<V4.54.5

SCALANCE XB205-3LD (SC, PN)<V4.54.5

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to switch management interfaces using firewall rules; limit management access to authorized engineering workstations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected SCALANCE XB-200, XC-200, XP-200, XF-200BA, and XR-300WG switches to firmware version V4.5 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate critical industrial switches from less trusted network segments

CVEs (13)

CVE-2022-4203 CVE-2022-4304 CVE-2022-4450 CVE-2023-0216 CVE-2023-0217 CVE-2023-0401 CVE-2023-2650 CVE-2023-44317 CVE-2023-44319 CVE-2023-44320 CVE-2023-44322 CVE-2023-44373 CVE-2023-44374

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6ab80917-e57b-4438-b24a-30f517a739a0